----- Forwarded message from Sašo Kiselkov <[email protected]> -----
From: Sašo Kiselkov <[email protected]> Date: Wed, 03 Oct 2012 15:54:08 +0200 To: [email protected] CC: Eugen Leitl <[email protected]> Subject: Re: [cryptography] [zfs] SHA-3 winner announced User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 On 10/03/2012 03:16 PM, Eugen Leitl wrote: > ----- Forwarded message from "David McGrew (mcgrew)" <[email protected]> ----- > > From: "David McGrew (mcgrew)" <[email protected]> > Date: Wed, 3 Oct 2012 12:41:26 +0000 > To: Eugen Leitl <[email protected]>, > "[email protected]" <[email protected]> > Subject: Re: [cryptography] [zfs] SHA-3 winner announced > user-agent: Microsoft-MacOutlook/14.2.1.120420 > > If the hash function is being used in a symmetric message authentication > code, such as HMAC, then a good alternative would be to use a MAC that has > the performance properties that you are looking for, such as AES-GMAC, > which is supported on recent x86 systems > <http://www.intel.com/content/www/us/en/communications/communications-ia-ga > lois-counter-mode-paper.html>. Nope, ZFS doesn't use the checksum/hash algorithm as a HMAC. > AES-GCM is described as being supported > in ZFS in Solaris 11 at > <http://docs.oracle.com/cd/E23824_01/html/E24456/securedata-1.html#zfsencry > pt-1>, though I don't see any details as to how that is implemented. 1) Illumos != Solaris (the latter being a proprietary product of Oracle) 2) It's probably implemented in the crypto module in the Solaris kernel Anyways, this is irrelevant, since Illumos' ZFS doesn't use HMACs. > Are the requirements for the security of ZFS and the use of cryptography > in that filesystem documented anywhere? The checksum/hash algorithms are used primarily in two areas: 1) data integrity checksums (no security required) 2) in-line data deduplication (some security required) The latter is the only one that warrants some security concerns, in order to prevent an attacker generating a collision block to intentionally corrupt on-disk data, however, this attack is in itself highly impractical, even if the hash used were completely and utterly broken. And even so, it's very easy to tell ZFS to do bit-by-bit comparison of the target blocks prior to deduplication, instantly negating any potential security problems observed in the hash at a later date during its life cycle. > <https://blogs.oracle.com/bonwick/entry/zfs_end_to_end_data> mentions a > Merkle tree of checksums, where the checksum function can be either > Fletcher or SHA-256. A collision-resistant hash of an entire system is > indispensable if asymmetric authentication is needed, but are there common > scenarios where that is needed? If encryption is used in ZFS, then there > is necessarily a symmetric encryption key that is being managed; why not > use symmetric message authentication as well, and take advantage of the > performance gain? Illumos' ZFS (i.e. the open-source kind) doesn't have encryption. Oracle's ZFS uses SHA-256 if encryption is enabled and it's very easy to use that in Illumos as well, should encryption become available at some point in the future. This comes back to my earlier argument, that ZFS isn't a security protocol that's set in stone, but rather a dynamic filesystem that can cope with structural changes on the fly. Cheers, -- Saso ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
