On 25/04/12 15:03, MauMau wrote:
Q1: Is AES-XTS officially supported by OpenSSL 1.0.1? I'm wondering if
XTS is still an experimental feature in OpenSSL, because the file
"Changes" in the OpenSSL 1.0.1 tarball does not refer to XTS.
Well 1.0.1 is the latest stable version, and I have seen nothing to
indicate that the XTS support is anything but supported. I suspect it is
just an oversight in the ChangeLog.
Please look at crypt/evp/evp_enc.c. The below code fragment in
EVP_CipherInit_ex() does not appear to have support code for XTS.
--------------------------------------------------
if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
switch(EVP_CIPHER_CTX_mode(ctx)) {
case EVP_CIPH_STREAM_CIPHER:
case EVP_CIPH_ECB_MODE:
break;
case EVP_CIPH_CFB_MODE:
case EVP_CIPH_OFB_MODE:
ctx->num = 0;
/* fall-through */
case EVP_CIPH_CBC_MODE:
...
break;
case EVP_CIPH_CTR_MODE:
...
break;
default:
return 0;
break;
}
}
--------------------------------------------------
This code is only relevant if the EVP_CIPH_CUSTOM_IV flag is not set. If
it is set it is ignored. XTS sets this flag in e_aes.c:
#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
That is why it does not appear to handle XTS.
Q2: Is AES-XTS slower than AES-CBC? Does AES-NI speed up AES-XTS like
AES-CBC?
Yes it is slower because there is an additional encryption operation on
the "tweak".
I think AES-NI speeds up the implementation of the underlying AES
cipher, and therefore would be used no matter what the mode (perhaps one
of the openssl developers can confirm??)
To test out the speed implications I knocked together a quick piece of
code to do 1,000,000 AES-256 XTS encryptions of a 4k record followed by
1,000,000 AES-256 CBC encryptions. XTS took approx. 108s to run, whilst
CBC took approx. 41s to run (on my underpowered netbook).
To put this into perspective that means that XTS took approx. 0.1ms to
encrypt a single 4k record, compared to 0.04ms for CBC. In other words a
0.06ms performance penalty. Now I don't know what your application is
attempting to do, but I suggest that in most scenarios that kind of
penalty is not going to be noticed, and will probably be negligible
compared to the file i/o.
I haven't done a test for decryptions but I would expect it to be similar.
Matt
Thanks.
Regards
MauMau
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
