1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
Return-Path: <obnam-dev-bounces@obnam.org>
X-Original-To: distix@pieni.net
Delivered-To: distix@pieni.net
Received: from yaffle.pepperfish.net (yaffle.pepperfish.net [88.99.213.221])
by pieni.net (Postfix) with ESMTPS id 9BCE344F74
for <distix@pieni.net>; Tue, 4 Jul 2017 06:41:44 +0000 (UTC)
Received: from platypus.pepperfish.net (unknown [10.112.101.20])
by yaffle.pepperfish.net (Postfix) with ESMTP id 280E741DDB;
Tue, 4 Jul 2017 07:41:44 +0100 (BST)
Received: from ip6-localhost.nat ([::1] helo=platypus.pepperfish.net)
by platypus.pepperfish.net with esmtp (Exim 4.80 #2 (Debian))
id 1dSHWq-0006lz-41; Tue, 04 Jul 2017 07:41:44 +0100
Received: from [10.112.101.21] (helo=inmail2.pepperfish.net)
by platypus.pepperfish.net with esmtps (Exim 4.80 #2 (Debian))
id 1dSHWp-0006lo-9F
for <obnam-dev@obnam.org>; Tue, 04 Jul 2017 07:41:43 +0100
Received: from relay2-d.mail.gandi.net ([217.70.183.194])
by inmail2.pepperfish.net with esmtps
(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89)
(envelope-from <hsivonen@hsivonen.fi>) id 1dSHWn-0006UJ-9s
for obnam-dev@obnam.org; Tue, 04 Jul 2017 07:41:43 +0100
Received: from mfilter29-d.gandi.net (mfilter29-d.gandi.net [217.70.178.160])
by relay2-d.mail.gandi.net (Postfix) with ESMTP id 1E27FC5A63
for <obnam-dev@obnam.org>; Tue, 4 Jul 2017 08:41:35 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter29-d.gandi.net
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194])
by mfilter29-d.gandi.net (mfilter29-d.gandi.net [::ffff:10.0.15.180])
(amavisd-new, port 10024)
with ESMTP id fSOWi2gJob0Y for <obnam-dev@obnam.org>;
Tue, 4 Jul 2017 08:41:33 +0200 (CEST)
X-Originating-IP: 74.125.82.48
Received: from mail-wm0-f48.google.com (mail-wm0-f48.google.com [74.125.82.48])
(Authenticated sender: hsivonen@hsivonen.fi)
by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id AE6D4C5A69
for <obnam-dev@obnam.org>; Tue, 4 Jul 2017 08:41:33 +0200 (CEST)
Received: by mail-wm0-f48.google.com with SMTP id w126so185943047wme.0
for <obnam-dev@obnam.org>; Mon, 03 Jul 2017 23:41:33 -0700 (PDT)
X-Gm-Message-State: AKS2vOxsvIADdUoe0N7VVv17hCFgs3X/BW829tCeulK29Ofjtm/Yot5D
CBMeYwcO4xe8yOX6gEs/FYLfbbmMSg==
X-Received: by 10.80.173.85 with SMTP id z21mr17616844edc.10.1499150493195;
Mon, 03 Jul 2017 23:41:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.137.150 with HTTP; Mon, 3 Jul 2017 23:41:32 -0700 (PDT)
In-Reply-To: <f1809076-4875-1c34-b321-681ccf1b2071@palant.de>
References: <2d0a8c01-9f58-1ee7-7e20-53fe65d96718@palant.de>
<CAJQvAueazfvt9g2nPsqyuzecJXU0BRVs7hyZoqFBdG3bCmxO+w@mail.gmail.com>
<f1809076-4875-1c34-b321-681ccf1b2071@palant.de>
From: Henri Sivonen <hsivonen@hsivonen.fi>
Date: Tue, 4 Jul 2017 09:41:32 +0300
X-Gmail-Original-Message-ID: <CAJQvAuePi1ULTxJJKmwwwSNRn-dRuK0cfjWMqm2nBQDqYxeDzw@mail.gmail.com>
Message-ID: <CAJQvAuePi1ULTxJJKmwwwSNRn-dRuK0cfjWMqm2nBQDqYxeDzw@mail.gmail.com>
To: Wladimir Palant <gtiobnam@palant.de>
Content-Type: text/plain; charset="UTF-8"
X-Pepperfish-Transaction: b48f-cc43-c640-3b98
X-Spam-Score: -2.1
X-Spam-Score-int: -20
X-Spam-Bar: --
X-Scanned-By: pepperfish.net, Tue, 04 Jul 2017 07:41:43 +0100
X-Spam-Report: Content analysis details: (-2.1 points)
pts rule name description
---- ---------------------- --------------------------------------------------
0.5 PPF_RECEIVED_HTTP Received header mentions http
-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[217.70.183.194 listed in wl.mailspike.net]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust [217.70.183.194 listed in list.dnswl.org]
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
X-ACL-Warn: message may be spam
X-Scan-Signature: 5c9ebe5549acf97681f6c358f7c1c00a
Cc: obnam-dev@obnam.org
Subject: Re: [rfc] Passphrase-based encryption
X-BeenThere: obnam-dev@obnam.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Obnam development discussions <obnam-dev-obnam.org>
List-Unsubscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>,
<mailto:obnam-dev-request@obnam.org?subject=unsubscribe>
List-Archive: <http://listmaster.pepperfish.net/pipermail/obnam-dev-obnam.org>
List-Post: <mailto:obnam-dev@obnam.org>
List-Help: <mailto:obnam-dev-request@obnam.org?subject=help>
List-Subscribe: <http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org>,
<mailto:obnam-dev-request@obnam.org?subject=subscribe>
Sender: obnam-dev-bounces@obnam.org
Errors-To: obnam-dev-bounces@obnam.org
On Mon, Jul 3, 2017 at 10:16 PM, Wladimir Palant <gtiobnam@palant.de> wrote:
> On 03.07.2017 20:29, Henri Sivonen wrote:
>> Probably more important that letting users tweak the key size is to
>> make sure that the AEAD construction is good and suitable for use with
>> a randomly-generated nonce for the amount of data one would expect to
>> encrypt using Obnam. I don't know if CFB fits this, but
>> XSalsa20+Poly1305 or XChaCha20+Poly1305 should (the non-X variants of
>> Salsa20 and ChaCha20 *don't*).
>
>
> CFB uses initialization vectors (randomly generated for each file in my
> case) which I think serve a similar purpose. But I'm not really familiar
> with either Salsa20 or ChaCha20 so I would be grateful if you could expand.
> What kind of issues is this about?
If the nonce has too few bits, the probability of nonce reuse is more
than negligible for randomly-generated nonces. The X in XSalsa20 and
XChaCha20 stands for eXtended nonce: A nonce that's long enough that
the probability of nonce reuse with randomly-generated nonces is
considered negligible. XSalsa20 uses a 192-bit nonce. Salsa20 uses a
64-bit nonce.
A 192-bit nonce is considered long enough in order for it to be OK to
generate the nonce simply by pulling the bits out of a random number
generator while a 64-bit nonce is too short for that to be OK. I now
fail to find a good paper that would explain why 192 bits is
considered enough and how bad 128-bit nonces are, but it is a matter
of probability. (I can't recall how the probability threshold for
"negligible" is chosen.)
> Are you implying that these algorithms
> would be better performance-wise?
At least ChaCha20 outperforms AES in the absence of hardware support
for AES (such as Intel AES-NI).
https://www.imperialviolet.org/2013/10/07/chacha20.html
--
Henri Sivonen
hsivonen@hsivonen.fi
https://hsivonen.fi/
_______________________________________________
obnam-dev mailing list
obnam-dev@obnam.org
http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/obnam-dev-obnam.org
|
