Return-Path: X-Original-To: distix@pieni.net Delivered-To: distix@pieni.net Received: from yaffle.pepperfish.net (yaffle.pepperfish.net [88.99.213.221]) by pieni.net (Postfix) with ESMTPS id 9BCE344F74 for ; Tue, 4 Jul 2017 06:41:44 +0000 (UTC) Received: from platypus.pepperfish.net (unknown [10.112.101.20]) by yaffle.pepperfish.net (Postfix) with ESMTP id 280E741DDB; Tue, 4 Jul 2017 07:41:44 +0100 (BST) Received: from ip6-localhost.nat ([::1] helo=platypus.pepperfish.net) by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian)) id 1dSHWq-0006lz-41; Tue, 04 Jul 2017 07:41:44 +0100 Received: from [10.112.101.21] (helo=inmail2.pepperfish.net) by platypus.pepperfish.net with esmtps (Exim 4.80 #2 (Debian)) id 1dSHWp-0006lo-9F for ; Tue, 04 Jul 2017 07:41:43 +0100 Received: from relay2-d.mail.gandi.net ([217.70.183.194]) by inmail2.pepperfish.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1dSHWn-0006UJ-9s for obnam-dev@obnam.org; Tue, 04 Jul 2017 07:41:43 +0100 Received: from mfilter29-d.gandi.net (mfilter29-d.gandi.net [217.70.178.160]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id 1E27FC5A63 for ; Tue, 4 Jul 2017 08:41:35 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter29-d.gandi.net Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter29-d.gandi.net (mfilter29-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id fSOWi2gJob0Y for ; Tue, 4 Jul 2017 08:41:33 +0200 (CEST) X-Originating-IP: 74.125.82.48 Received: from mail-wm0-f48.google.com (mail-wm0-f48.google.com [74.125.82.48]) (Authenticated sender: hsivonen@hsivonen.fi) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id AE6D4C5A69 for ; Tue, 4 Jul 2017 08:41:33 +0200 (CEST) Received: by mail-wm0-f48.google.com with SMTP id w126so185943047wme.0 for ; Mon, 03 Jul 2017 23:41:33 -0700 (PDT) X-Gm-Message-State: AKS2vOxsvIADdUoe0N7VVv17hCFgs3X/BW829tCeulK29Ofjtm/Yot5D CBMeYwcO4xe8yOX6gEs/FYLfbbmMSg== X-Received: by 10.80.173.85 with SMTP id z21mr17616844edc.10.1499150493195; Mon, 03 Jul 2017 23:41:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.137.150 with HTTP; Mon, 3 Jul 2017 23:41:32 -0700 (PDT) In-Reply-To: References: <2d0a8c01-9f58-1ee7-7e20-53fe65d96718@palant.de> From: Henri Sivonen Date: Tue, 4 Jul 2017 09:41:32 +0300 X-Gmail-Original-Message-ID: Message-ID: To: Wladimir Palant Content-Type: text/plain; charset="UTF-8" X-Pepperfish-Transaction: b48f-cc43-c640-3b98 X-Spam-Score: -2.1 X-Spam-Score-int: -20 X-Spam-Bar: -- X-Scanned-By: pepperfish.net, Tue, 04 Jul 2017 07:41:43 +0100 X-Spam-Report: Content analysis details: (-2.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.5 PPF_RECEIVED_HTTP Received header mentions http -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [217.70.183.194 listed in wl.mailspike.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [217.70.183.194 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-ACL-Warn: message may be spam X-Scan-Signature: 5c9ebe5549acf97681f6c358f7c1c00a Cc: obnam-dev@obnam.org Subject: Re: [rfc] Passphrase-based encryption X-BeenThere: obnam-dev@obnam.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Obnam development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: obnam-dev-bounces@obnam.org Errors-To: obnam-dev-bounces@obnam.org On Mon, Jul 3, 2017 at 10:16 PM, Wladimir Palant wrote: > On 03.07.2017 20:29, Henri Sivonen wrote: >> Probably more important that letting users tweak the key size is to >> make sure that the AEAD construction is good and suitable for use with >> a randomly-generated nonce for the amount of data one would expect to >> encrypt using Obnam. I don't know if CFB fits this, but >> XSalsa20+Poly1305 or XChaCha20+Poly1305 should (the non-X variants of >> Salsa20 and ChaCha20 *don't*). > > > CFB uses initialization vectors (randomly generated for each file in my > case) which I think serve a similar purpose. But I'm not really familiar > with either Salsa20 or ChaCha20 so I would be grateful if you could expand. > What kind of issues is this about? If the nonce has too few bits, the probability of nonce reuse is more than negligible for randomly-generated nonces. The X in XSalsa20 and XChaCha20 stands for eXtended nonce: A nonce that's long enough that the probability of nonce reuse with randomly-generated nonces is considered negligible. XSalsa20 uses a 192-bit nonce. Salsa20 uses a 64-bit nonce. A 192-bit nonce is considered long enough in order for it to be OK to generate the nonce simply by pulling the bits out of a random number generator while a 64-bit nonce is too short for that to be OK. I now fail to find a good paper that would explain why 192 bits is considered enough and how bad 128-bit nonces are, but it is a matter of probability. (I can't recall how the probability threshold for "negligible" is chosen.) > Are you implying that these algorithms > would be better performance-wise? At least ChaCha20 outperforms AES in the absence of hardware support for AES (such as Intel AES-NI). https://www.imperialviolet.org/2013/10/07/chacha20.html -- Henri Sivonen hsivonen@hsivonen.fi https://hsivonen.fi/ _______________________________________________ obnam-dev mailing list obnam-dev@obnam.org http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org