Thread (12 messages) 12 messages, 6 authors, 2017-12-11

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

From: Jeffrey Walton <hidden>
Date: 2017-12-09 00:48:55
Also in: linux-ext4, linux-f2fs-devel, linux-fscrypt, linux-fsdevel

Still, a stream cipher is sufficient to protect data confidentiality in
the event of a single point-in-time permanent offline compromise of the
disk, which currently is the primary threat model for fscrypt.  Thus,
when the alternative is quite literally *no encryption*, we might as
well use a stream cipher.
The "single point in time" requirement is kind of interesting. I
believe you are saying the scheme lacks semantic security.

Forgive my ignorance... Does that mean this cipher should not be used
when backups are in effect; or sync'ing to <insert favorite cloud
provider> happens?

Jeff

On Thu, Dec 7, 2017 at 8:38 PM, Eric Biggers [off-list ref] wrote:
From: Eric Biggers <redacted>

fscrypt currently only supports AES encryption.  However, many low-end
mobile devices still use older CPUs such as ARMv7, which do not support
the AES instructions (the ARMv8 Cryptography Extensions).  This results
in very poor AES performance, even if the NEON bit-sliced implementation
is used.  Roughly 20-40 MB/s is a typical number, in comparison to
300-800 MB/s on CPUs that support the AES instructions.  Switching from
AES-256 to AES-128 only helps by about 30%.

The result is that vendors don't enable encryption on these devices,
leaving users unprotected.

A performance difference of similar magnitude can also be observed on
x86, between CPUs with and without the AES-NI instruction set.

This patch provides an alternative to AES by updating fscrypt to support
the ChaCha20 stream cipher (RFC7539) for contents encryption.  ChaCha20
was designed to have a large security margin, to be efficient on
general-purpose CPUs without dedicated instructions, and to be
vectorizable.  It is already supported by the Linux crypto API,
including a vectorized implementation for ARM using NEON instructions,
and vectorized implementations for x86 using SSSE3 or AVX2 instructions.

On 32-bit ARM processors with NEON support, ChaCha20 is about 3.2 times
faster than AES-128-XTS (chacha20-neon vs. xts-aes-neonbs).  Without
NEON support, ChaCha20 is about 1.5 times as fast (chacha20-generic vs.
xts(aes-asm)).  The improvement over AES-256-XTS is even greater.

Note that stream ciphers are not an ideal choice for disk encryption,
since each data block has to be encrypted with the same IV each time it
is overwritten.  Consequently, an adversary who observes the ciphertext
both before and after a write can trivially recover the keystream if
they can guess one of the plaintexts.  Moreover, an adversary who can
write to the ciphertext can flip arbitrary bits in the plaintext, merely
by flipping the corresponding bits in the ciphertext.  A block cipher
operating in the XTS or CBC-ESSIV mode provides some protection against
these types of attacks -- albeit not full protection, which would at
minimum require the use an authenticated encryption mode with nonces.

Unfortunately, we are unaware of any block cipher which performs as well
as ChaCha20, has a similar or greater security margin, and has been
subject to as much public security analysis.  We do not consider Speck
to be a viable alternative at this time.

Still, a stream cipher is sufficient to protect data confidentiality in
the event of a single point-in-time permanent offline compromise of the
disk, which currently is the primary threat model for fscrypt.  Thus,
when the alternative is quite literally *no encryption*, we might as
well use a stream cipher.

We offer ChaCha20 rather than the reduced-round variants ChaCha8 or
ChaCha12 because ChaCha20 has a much higher security margin, and we are
primarily targeting CPUs where ChaCha20 is fast enough, in particular
CPUs that have vector instructions such as NEON or SSSE3.  Also, the
crypto API currently only supports ChaCha20.  Still, if ChaCha8 and/or
ChaCha12 support were to be added to the crypto API, it would be
straightforward to support them in fscrypt too.

Currently, stream ciphers cannot be used for filenames encryption with
fscrypt because all filenames in a directory have to be encrypted with
the same IV.  Therefore, we offer ChaCha20 for contents encryption only.
Filenames encryption still must use AES-256-CTS-CBC.  This is acceptable
because filenames encryption is not as performance-critical as contents
encryption.

...
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help