On Mon, 2018-09-03 at 09:48 +0200, Milan Broz wrote: > sorry for long delay, I was most of the time offline. Thanks, and no worries :-) > On 19/08/18 19:27, Christoph Anton Mitterer wrote: > > - ChaCha20 seems to have all 128 bit IV... but is this correct? > > I've > > modpobed chacha20poly1305 ... but at least ther's no reference to > > poly1305 in /proc/crypto > > No, we use RFC7539 wrapper for Chacha20-poly1305 and here the nonce > is > only 96bit. > > So the same probability of collision as in GCM, just a nonce > collision > does not cause such fatal failure as in GCM. Are there any plans to provide ChaCha20/Poly1305 with larger nonces in the future? I mean having it would be at least interesting from the PoV that they seem to have quite some substantial amount of cryptoanalysis. > I will probably oversimplify it, but until we have time to really > write documentation examples (and explain it in detail), these are my > advices: > > - authenticated encryption remains as experimental feature > > - never use GCM mode > > - Avoid Chacha20-poly1305 as well (because of 96bit nonce) > > - For authenticated modes use random IV only. > > - For NON-authenticated modes, never use random IV. It would be nice if cryptsetup and the other tools give a warning or allow to use "unsafe" combinations (like e.g. non-AEAD + random-IV or GCM/ChaCha20+Poly1305-with-96bit-nonce) only when a special option like --unsafe-but-i-know-what-i-do is given :-) > - Do not use slow hashes (sha3) or too long hashes (sha512) in HMAC- > based > authentication tags (it is overkill and performance will suffer > extremely). > SHA256 should be enough. Okay, but that's only a performance thingy. > 2) Use new native AEAD algorithms with 128bit nonces (in kernel 4.18 > and later) > (aegis128,aegis256,aegis128l,morus640,morus1280), for example > > "--cipher aegis128-random --key-size 128 --integrity aead" or > "--cipher aegis256-random --key-size 256 --integrity aead" or > "--cipher morus640-random --key-size 128 --integrity aead" ... Do these work already in 2.0 with 4.18? I thought some algos were still hardcoded in cryptsetup? Thanks for your explanations :-) Cheers, Chris. _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
