Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing
Am 06.12.20 um 17:09 schrieb Antonio Quartulli: > Hi all, > > Some people have expressed interest in ovpn-dco supporting AES-CBC. > > However, since ovpn-dco is currently using the AEAD kernel crypto API > only, introducing support for CBC mode would require quite some > refactoring and we do not really want to do that (the community believes > that as of now AEAD ciphers should always be preferred moving forward). > > In a previous discussion on this mailing list, it was highlighted that > AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher. > > (for the curious: it is AES "Counter with CBC-MAC", known as CCM and > described in RFC3610). > > For this reason I decided to give AES-CCM a try and I implemented in it > the "aes-ccm" branch of the ovpn-dco repo. > > I am not sure if we're going to merge it to master yet, but for now it > would be interesting to gather feedback from those interested in this > cipher. > > Please note that OpenVPN3 does not yet support this cipher, therefore > the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool > provided in the tests/ folder. > > > To do so, just specify "aes-ccm" as algorithm when setting a new key. > And here is a variant for OpenVPN 2.x that works with both mbed TLS and OpenSSL: https://github.com/schwabe/openvpn/tree/schwabe/aes-ccm While it is not as fast as the ovpn-dco variant, it might be easier to use than the doc variant as you only need to add data-ciphers AES-128-CCM on both sides to test. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing
Am 07.12.20 um 12:33 schrieb Jan Just Keijser: > Hi Antonio, > > On 07/12/20 10:56, Antonio Quartulli wrote: >> Hi Jan Just, Tony, >> >> On 07/12/2020 10:10, Jan Just Keijser wrote: >>> Thank you very much for adding this so quickly; it won't help Tony He >>> though, as he is stuck using a rather old AL314 + R9000 chip which does >>> not support CCM or GCM. I just checked the driver code and indeed there >>> is no HW support for GCM. They *do* support some AEAD algorithms: >>> >>> authenc-hmac-sha256-cbc-aes >>> authenc-hmac-sha384-cbc-aes >>> >>> which are listed as the (true) AEAD equivalent of AES+SHA ; the question >>> is : how hard would it be to add support for this (and would it be worth >>> it?) >> I would ask the same question to the vendor: how hard would it be to >> support AES-GCM in the current HW engine? >> >> Any info about that? >> They are the best recipient for such feature request I think. >> >> As far as I understood the HW engine is also open source, so actually >> anybody with the right motivation could take up that task. > I fully agree; however, the last change to the kernel driver for that > hardware was made over 3 years ago , so I suspect that it will be hard > to get GCM support for it. >> >> Forcing ourselves to sticking to legacy algorithms is not the right >> move, imho (especially when there are solutions - see above). >> To answer your question: my feeling is that working on it is not worth >> the benefit. >> >> > again, I tend to agree *but* when you say that 'openvpn-dco only > supports AEAD crypto algorithms" you can expect that sooner or later > someone will ask the question "how about authenc-hmac-sha256-cbc-aes ?" > because that *IS* an AEAD algorithm after all. > > But without support in OpenVPN 2.x for this the point is moot, as far as > I am concerned, as supporting something only in the kernel driver will > make it interoperable with the open source community version of OpenVPN. To be honest, I am not seeing any API in OpenSSL that makes use of them as AEAD ciphers. And if reduce them to the fact of being encrypt-then-mac ciphers we are basically back with normal OpenVPN usage of CBC+SHA1 since we always used encrypt-then-mac instead of the mac-then-encrypt that TLS used before. And the driver support argument at least for AES-CCM does not really count. From the README: This driver implements standard Linux Crypto API algorithms: ablkcipher - aes-cbc, aes-ecb, aes-ctr, dec-cbc, des-ecb, des3-ede-cbc, des3-ede-ecb. Something that implements aes-ctr and aes-cbc, implementing aes-ccm should be trivial. Even if means sending the data twice to the crypto engine for doing the cmac and the encryption in seperate calls. As my personal opinion: I still okay with CCM as it is still an optional mode for TLS 1.3 but TLS 1.3 does not implement any other mode and neither should we spend any extra time on algorithms that are already outdated and deprecated when we introduce them. I know that this feels unfair to people using old hardware but we have to make a cut at some point. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing
Hi Antonio, On 07/12/20 10:56, Antonio Quartulli wrote: Hi Jan Just, Tony, On 07/12/2020 10:10, Jan Just Keijser wrote: Thank you very much for adding this so quickly; it won't help Tony He though, as he is stuck using a rather old AL314 + R9000 chip which does not support CCM or GCM. I just checked the driver code and indeed there is no HW support for GCM. They *do* support some AEAD algorithms: authenc-hmac-sha256-cbc-aes authenc-hmac-sha384-cbc-aes which are listed as the (true) AEAD equivalent of AES+SHA ; the question is : how hard would it be to add support for this (and would it be worth it?) I would ask the same question to the vendor: how hard would it be to support AES-GCM in the current HW engine? Any info about that? They are the best recipient for such feature request I think. As far as I understood the HW engine is also open source, so actually anybody with the right motivation could take up that task. I fully agree; however, the last change to the kernel driver for that hardware was made over 3 years ago , so I suspect that it will be hard to get GCM support for it. Forcing ourselves to sticking to legacy algorithms is not the right move, imho (especially when there are solutions - see above). To answer your question: my feeling is that working on it is not worth the benefit. again, I tend to agree *but* when you say that 'openvpn-dco only supports AEAD crypto algorithms" you can expect that sooner or later someone will ask the question "how about authenc-hmac-sha256-cbc-aes ?" because that *IS* an AEAD algorithm after all. But without support in OpenVPN 2.x for this the point is moot, as far as I am concerned, as supporting something only in the kernel driver will make it interoperable with the open source community version of OpenVPN. cheers, JJK ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing
Hi Jan Just, Tony, On 07/12/2020 10:10, Jan Just Keijser wrote: > Thank you very much for adding this so quickly; it won't help Tony He > though, as he is stuck using a rather old AL314 + R9000 chip which does > not support CCM or GCM. I just checked the driver code and indeed there > is no HW support for GCM. They *do* support some AEAD algorithms: > > authenc-hmac-sha256-cbc-aes > authenc-hmac-sha384-cbc-aes > > which are listed as the (true) AEAD equivalent of AES+SHA ; the question > is : how hard would it be to add support for this (and would it be worth > it?) I would ask the same question to the vendor: how hard would it be to support AES-GCM in the current HW engine? Any info about that? They are the best recipient for such feature request I think. As far as I understood the HW engine is also open source, so actually anybody with the right motivation could take up that task. Forcing ourselves to sticking to legacy algorithms is not the right move, imho (especially when there are solutions - see above). To answer your question: my feeling is that working on it is not worth the benefit. Regards, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing
yeah, also looking forward to add support authenc-hmac-sha256-cbc-aes because I have another IPQ806x device which support this mode but not CCM or GCM. IPQ806x devices are widely used for router users. Tony Jan Just Keijser 于2020年12月7日周一 下午5:12写道: > Hi Antonio, > > On 06/12/20 17:09, Antonio Quartulli wrote: > > Hi all, > > Some people have expressed interest in ovpn-dco supporting AES-CBC. > > However, since ovpn-dco is currently using the AEAD kernel crypto API > only, introducing support for CBC mode would require quite some > refactoring and we do not really want to do that (the community believes > that as of now AEAD ciphers should always be preferred moving forward). > > In a previous discussion on this mailing list, it was highlighted that > AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher. > > (for the curious: it is AES "Counter with CBC-MAC", known as CCM and > described in RFC3610). > > For this reason I decided to give AES-CCM a try and I implemented in it > the "aes-ccm" branch of the ovpn-dco repo. > > I am not sure if we're going to merge it to master yet, but for now it > would be interesting to gather feedback from those interested in this > cipher. > > Please note that OpenVPN3 does not yet support this cipher, therefore > the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool > provided in the tests/ folder. > > > To do so, just specify "aes-ccm" as algorithm when setting a new key. > > > > > excellent news! > Thank you very much for adding this so quickly; it won't help Tony He > though, as he is stuck using a rather old AL314 + R9000 chip which does not > support CCM or GCM. I just checked the driver code and indeed there is no > HW support for GCM. They *do* support some AEAD algorithms: > > authenc-hmac-sha256-cbc-aes > authenc-hmac-sha384-cbc-aes > > which are listed as the (true) AEAD equivalent of AES+SHA ; the question > is : how hard would it be to add support for this (and would it be worth > it?) > > cheers, > > JJK > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing
Hi Antonio, On 06/12/20 17:09, Antonio Quartulli wrote: Hi all, Some people have expressed interest in ovpn-dco supporting AES-CBC. However, since ovpn-dco is currently using the AEAD kernel crypto API only, introducing support for CBC mode would require quite some refactoring and we do not really want to do that (the community believes that as of now AEAD ciphers should always be preferred moving forward). In a previous discussion on this mailing list, it was highlighted that AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher. (for the curious: it is AES "Counter with CBC-MAC", known as CCM and described in RFC3610). For this reason I decided to give AES-CCM a try and I implemented in it the "aes-ccm" branch of the ovpn-dco repo. I am not sure if we're going to merge it to master yet, but for now it would be interesting to gather feedback from those interested in this cipher. Please note that OpenVPN3 does not yet support this cipher, therefore the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool provided in the tests/ folder. To do so, just specify "aes-ccm" as algorithm when setting a new key. excellent news! Thank you very much for adding this so quickly; it won't help Tony He though, as he is stuck using a rather old AL314 + R9000 chip which does not support CCM or GCM. I just checked the driver code and indeed there is no HW support for GCM. They *do* support some AEAD algorithms: authenc-hmac-sha256-cbc-aes authenc-hmac-sha384-cbc-aes which are listed as the (true) AEAD equivalent of AES+SHA ; the question is : how hard would it be to add support for this (and would it be worth it?) cheers, JJK ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [ovpn-dco] AES-CCM available for testing
Hi all, Some people have expressed interest in ovpn-dco supporting AES-CBC. However, since ovpn-dco is currently using the AEAD kernel crypto API only, introducing support for CBC mode would require quite some refactoring and we do not really want to do that (the community believes that as of now AEAD ciphers should always be preferred moving forward). In a previous discussion on this mailing list, it was highlighted that AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher. (for the curious: it is AES "Counter with CBC-MAC", known as CCM and described in RFC3610). For this reason I decided to give AES-CCM a try and I implemented in it the "aes-ccm" branch of the ovpn-dco repo. I am not sure if we're going to merge it to master yet, but for now it would be interesting to gather feedback from those interested in this cipher. Please note that OpenVPN3 does not yet support this cipher, therefore the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool provided in the tests/ folder. To do so, just specify "aes-ccm" as algorithm when setting a new key. Cheers, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel