Re: [PATCH] crypto: Allow ecb(cipher_null) in FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Samstag, 22. April 2017, 09:54:08 CEST schrieb Sandy Harris:

Hi Sandy,

> In the FreeS/WAN project, back around the turn of the century,
> we refused to implement several things required by the RFCs
> because we thought they were insecure: null cipher, single
> DES & 768-bit DH Group 1.
> 
> At that time, not having DES did cause some problems in
> interoperating with other IPsec implementations, but I
> doubt it would today. Neither of the other dropped items
> caused any problems at all.
> 
> Today I'd say drop all of those plus the 1024-bit Group 2,
> and then look at whether others should go as well. As of
> 2001 or so, the 1536-bit Group 5 was very widely used,
> so dropping it might well be problematic, but I am not
> certain if it is either secure or widely used now.

This approach is fully appropriate and I strongly support that. However, the 
kernel crypto API has a need of a memcpy over SGLs, because the entire crypto 
API operates on SGLs. There are valid use cases. The one I am currently 
working on are AEAD ciphers where we want to copy the AAD from the src SGL to 
the dst SGL. Instead of walking through the SGLs in my code and invoke the 
memcpy, I simply use the null cipher.

What I would like to say is that there are valid use cases of the null cipher 
which do not impair security constraints. For those use cases, the null cipher 
should and must be allowed.

For all other use cases, including the "encryption operation" in IPSEC or dm-
crypt, it should never be used.

Ciao
Stephan




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux