Symmetric Ciphers #6
Labels
Comments
Closed
optnfast
pushed a commit
that referenced
this issue
Aug 3, 2018
optnfast
pushed a commit
that referenced
this issue
Aug 3, 2018
For testing with SoftHSM2 you need at least version 2.4.0, i.e. at least Debian buster/sid or Ubuntu cosmic (or BYO). This commit also updates our dependency on github.com/miekg/pkcs11 to one with GCM support. re #6
optnfast
pushed a commit
that referenced
this issue
Aug 6, 2018
You can now have a crypto11.BlockModeCloser, and must call Close(), or a cipher.BlockMode, but it has a finalizer. re #6
optnfast
pushed a commit
that referenced
this issue
Aug 6, 2018
This is rather an abuse of the cipher.AEAD interface as the name and description both indicate it provides authenticated encryption, which is not the case for CBC. The risk of using it in a context where authentication is required is mitigated only by documentation. re #6
optnfast
pushed a commit
that referenced
this issue
Aug 7, 2018
optnfast
pushed a commit
that referenced
this issue
Aug 7, 2018
optnfast
pushed a commit
that referenced
this issue
Oct 2, 2018
optnfast
pushed a commit
that referenced
this issue
Oct 2, 2018
For testing with SoftHSM2 you need at least version 2.4.0, i.e. at least Debian buster/sid or Ubuntu cosmic (or BYO). This commit also updates our dependency on github.com/miekg/pkcs11 to one with GCM support. re #6
optnfast
pushed a commit
that referenced
this issue
Oct 2, 2018
You can now have a crypto11.BlockModeCloser, and must call Close(), or a cipher.BlockMode, but it has a finalizer. re #6
optnfast
pushed a commit
that referenced
this issue
Oct 2, 2018
This is rather an abuse of the cipher.AEAD interface as the name and description both indicate it provides authenticated encryption, which is not the case for CBC. The risk of using it in a context where authentication is required is mitigated only by documentation. re #6
optnfast
pushed a commit
that referenced
this issue
Oct 2, 2018
optnfast
pushed a commit
that referenced
this issue
Oct 2, 2018
optnfast
pushed a commit
that referenced
this issue
Oct 3, 2018
optnfast
pushed a commit
that referenced
this issue
Oct 3, 2018
For testing with SoftHSM2 you need at least version 2.4.0, i.e. at least Debian buster/sid or Ubuntu cosmic (or BYO). This commit also updates our dependency on github.com/miekg/pkcs11 to one with GCM support. re #6
optnfast
pushed a commit
that referenced
this issue
Oct 3, 2018
You can now have a crypto11.BlockModeCloser, and must call Close(), or a cipher.BlockMode, but it has a finalizer. re #6
optnfast
pushed a commit
that referenced
this issue
Oct 3, 2018
This is rather an abuse of the cipher.AEAD interface as the name and description both indicate it provides authenticated encryption, which is not the case for CBC. The risk of using it in a context where authentication is required is mitigated only by documentation. re #6
optnfast
pushed a commit
that referenced
this issue
Oct 3, 2018
optnfast
pushed a commit
that referenced
this issue
Oct 3, 2018
optnfast
added a commit
that referenced
this issue
Oct 3, 2018
* Implement cipher.Block for AES and DES3 re #6 * Fast CBC support re #6 * Exercise GCM in tests re #6 * HSM-native GCM For testing with SoftHSM2 you need at least version 2.4.0, i.e. at least Debian buster/sid or Ubuntu cosmic (or BYO). This commit also updates our dependency on github.com/miekg/pkcs11 to one with GCM support. re #6 * HMAC implementation re #7 * Finalized symmetric crypto interface You can now have a crypto11.BlockModeCloser, and must call Close(), or a cipher.BlockMode, but it has a finalizer. re #6 * Expose CBC via cipher.AEAD This is rather an abuse of the cipher.AEAD interface as the name and description both indicate it provides authenticated encryption, which is not the case for CBC. The risk of using it in a context where authentication is required is mitigated only by documentation. re #6 * Linter-driven cleanup * Split symmetric support into separate files re #6 re #7 * Documentation review re #6 * Keep blockModeCloser alive during PKCS#11 calls re #6 * Implement HMAC Reset() and make Sum() friendlier re #7 * HMAC empty inputs without panicing re #7 * update Gopkg.lock We depend upon miekg/pkcs11#82. * Query GCM capability rather than provider
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At present crypto11 only supports asymmetric keys. We would like to extend it to support symmetric ciphers too. This issue covers the relevant confidentiality interfaces and the issues that they raise.
Throughout I will discuss encryption, with decryption left implicit, unless it's actually different in some relevant way.
Interfaces
cipher.Block
Encrypts or decrypts single blocks in a stateless way. This could be implemented by calling
C_EncryptInitandC_Encryptwith a single block and a CKM_*_ECB mechanism.The alternative approach of using
C_EncryptInitonce and multiple calls toC_EncryptUpdatewill not work; this sequence requires a finalC_EncryptFinalbut the interface does not include any way for the caller to signal that it is finished.cipher.BlockMode
Encrypts or decrypts multiple blocks in a stateful way. We would like to turn each call to
CryptBlocksinto a call toC_EncryptUpdatebut again we face the issue that we have no idea when to callC_EncryptFinal. Without this our only option is to fall back to the native block modes (cipher.NewGCMEncrypteretc) with thecipher.Blockdiscussed above. See below for a discussion of the performance impact.cipher.AEAD
Encrypts or decrypts whole messages. This is much more promising, we can use the PKCS#11 functions in an idiomatic way and don't have to guess when to call
C_EncryptFinal.cipher.Stream
Encrypts or decrypts message fragments in a stateful way. Here we face the same issue as with
BlockModethat we do not know when to callC_EncryptFinal, but without the slow implementation ofcipher.Blockto fall back on.Performance Issues
On my experimental branch, the native version (using Go's native
cipher.NewCBCEncrypter, so making a call to the HSM with each block) takes hundreds of times as long as an idiomatic implementation. For instance encrypting 64Kbyte messages using an emulated nShield HSM:Or using SoftHSM2:
Our issues could, superficially, be solved if
cipher.Block,cipher.BlockModeandcipher.StreamhadClose()methods. However, given that this isn't already true, deployment of a change could be painful, as all code using these would have to be updated to call the new method, before it could correctly use crypto11.See golang/go#26787 for further discussion on this point.
References
The text was updated successfully, but these errors were encountered: