subject:"\[openssl\-dev\] \[openssl.org #4521\] openssl GCM ordering"

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-27 Thread Andy Polyakov

> Is there is a reason why openssl has restriction of auth before
> encrypt
> order ? I dont believe there is an algo restriction, was
> wondering why
> openssl has this.
> 
> 
> It *is* inherent in the algorithm. The authentication tag for the
> AAD is computed first, then the authentication tag for the encrypted
> data is computed.
> 
> [praveen] From the NIST documentation it is not that clear (SP-800-38D
> page 15).

Yes, it is, clear that is.

> *   5. Define a block, S, as follows: S = GHASHH (A || 0v || C || 0u
> || [len(A)]64 || [len(C)]64). *

It says GHASH over AAD *followed* by Ciphertext, etc.

> I agree, but I was talking about auth only part. For example, in a
> packet that need to be replicated, the outer header will change for each
> recipient, but the payload will remain same. Was wondering if I can
> benefit by skipping the C part for the subsequent copies. 
> 
> I totally understand for HW implementation it does NOT make sense. But
> was curious why this restriction?

What restriction? Initial question was why does CRYPTO_gcm128_aad work
the way it does (and the answer is to comply with specification), and
now it seems to be shifting toward more philosophical why does
specification look the way it does? Point is that it looks like a wrong
question is being asked. One should rather wonder what would it take to
make so to say "fan-out" operation comply with specification, i.e.
manufacturing compliant MACs given same initial parameters and
pre-encrypted payload. Obviously it would have to take dedicated effort
and dedicated interface, say CRYPTO_gcm128_noencrypt(ctx,in,len) in
place for CRYPTO_gcm128_encrypt that would do the hashing of the
pre-encrypted payload. However! This doesn't mean that it's actually
appropriate to implement and do. I mean, as already pointed by others,
it doesn't sound like GCM is the right choice for "fan-out"...


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-26 Thread Salz, Rich

This is the way GCM works.  Perhaps you need something else, like CBC mode.
Closing this ticket.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-26 Thread Praveen Kariyanahalli

See inline. Look for Praveen.

On Mon, Apr 25, 2016 at 7:20 PM, Brian Smith  wrote:

> Praveen Kariyanahalli via RT  wrote:
>
>> Is there is a reason why openssl has restriction of auth before encrypt
>> order ? I dont believe there is an algo restriction, was wondering why
>> openssl has this.
>>
>
> It *is* inherent in the algorithm. The authentication tag for the AAD is
> computed first, then the authentication tag for the encrypted data is
> computed.
>
[praveen] From the NIST documentation it is not that clear (SP-800-38D page
15).


Steps: 1. Let H = CIPHK(0128).
   2. Define a block, J0, as follows: If len(IV)=96, then let J0 = IV
|| 031 ||1. If len(IV) ≠ 96, then let s = 128 ⎡len(IV)/128⎤-len(IV), and
let J0=GHASHH(IV||0s+64||[len(IV)]64).
*   3. Let C=GCTRK(inc32(J0), P).*
   4. Let u = ⋅⎡ ⎤ ( ) C − len128len128 (C) and let v = ⋅⎡ (A) ⎤ −
len128len128 ( ) A .
*   5. Define a block, S, as follows: S = GHASHH (A || 0v || C || 0u ||
[len(A)]64 || [len(C)]64). *
   6. Let T ( ) SJ K , 0 ( ). = MSBt GCTR 7. Return (C, T).

Sorry my cut n paste swallowed some characters :). The steps mentioned
itself is NOT the order you mention.




>
>
>> The reason I bring this up, is that when I broadcast/multicast traffic
>> need
>> not encrypt the payload multiple times, but need to auth the header
>> differently and openssl is refusing to cooperate :)
>
>
> With AEADs, in general, you can't separate the authentication from the
> encryption like that.
>
>
[praveen]

I agree, but I was talking about auth only part. For example, in a packet
that need to be replicated, the outer header will change for each
recipient, but the payload will remain same. Was wondering if I can benefit
by skipping the C part for the subsequent copies.

I totally understand for HW implementation it does NOT make sense. But was
curious why this restriction?

Thanks
-Praveen


> Cheers,
> Brian
> --
> https://briansmith.org/
>
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>


-- 
-Praveen
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-25 Thread Brian Smith

Praveen Kariyanahalli via RT  wrote:

> Is there is a reason why openssl has restriction of auth before encrypt
> order ? I dont believe there is an algo restriction, was wondering why
> openssl has this.
>

It *is* inherent in the algorithm. The authentication tag for the AAD is
computed first, then the authentication tag for the encrypted data is
computed.

> The reason I bring this up, is that when I broadcast/multicast traffic need
> not encrypt the payload multiple times, but need to auth the header
> differently and openssl is refusing to cooperate :)

With AEADs, in general, you can't separate the authentication from the
encryption like that.

Cheers,
Brian
-- 
https://briansmith.org/
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-25 Thread Salz, Rich via RT

Why do you want GCM then?



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4521
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-25 Thread Praveen Kariyanahalli via RT

Is there is a reason why openssl has restriction of auth before encrypt
order ? I dont believe there is an algo restriction, was wondering why
openssl has this.

*int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const unsigned char *aad,*
*  size_t len)*
*{*

*[snip]*

*if (ctx->len.u[1])*
*return -2;<< Premature return*

*alen += len;*


The reason I bring this up, is that when I broadcast/multicast traffic need
not encrypt the payload multiple times, but need to auth the header
differently and openssl is refusing to cooperate :)

Please throw light on how to work around this problem. Also please correct
me if my assumption is wrong.

Thanks in advance
-Praveen

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4521
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

[openssl-dev] [openssl.org #4521] openssl GCM ordering

6 matches

Site Navigation

Mail list logo

Footer information