[cryptography] [zfs] SHA-3 winner announced

Eugen Leitl eugen at leitl.org
Wed Oct 3 10:51:07 EDT 2012

----- Forwarded message from Sašo Kiselkov <skiselkov.ml at gmail.com> -----

From: Sašo Kiselkov <skiselkov.ml at gmail.com>
Date: Wed, 03 Oct 2012 15:54:08 +0200
To: zfs at lists.illumos.org
CC: Eugen Leitl <eugen at leitl.org>
Subject: Re: [cryptography] [zfs] SHA-3 winner announced
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

On 10/03/2012 03:16 PM, Eugen Leitl wrote:
> ----- Forwarded message from "David McGrew (mcgrew)" <mcgrew at cisco.com> -----
> From: "David McGrew (mcgrew)" <mcgrew at cisco.com>
> Date: Wed, 3 Oct 2012 12:41:26 +0000
> To: Eugen Leitl <eugen at leitl.org>,
> 	"cryptography at randombit.net" <cryptography at randombit.net>
> Subject: Re: [cryptography] [zfs] SHA-3 winner announced
> user-agent: Microsoft-MacOutlook/
> If the hash function is being used in a symmetric message authentication
> code, such as HMAC, then a good alternative would be to use a MAC that has
> the performance properties that you are looking for, such as AES-GMAC,
> which is supported on recent x86 systems
> <http://www.intel.com/content/www/us/en/communications/communications-ia-ga
> lois-counter-mode-paper.html>.  

Nope, ZFS doesn't use the checksum/hash algorithm as a HMAC.

> AES-GCM is described as being supported
> in ZFS in Solaris 11 at
> <http://docs.oracle.com/cd/E23824_01/html/E24456/securedata-1.html#zfsencry
> pt-1>, though I don't see any details as to how that is implemented.

1) Illumos != Solaris (the latter being a proprietary product of Oracle)
2) It's probably implemented in the crypto module in the Solaris kernel

Anyways, this is irrelevant, since Illumos' ZFS doesn't use HMACs.

> Are the requirements for the security of ZFS and the use of cryptography
> in that filesystem documented anywhere?

The checksum/hash algorithms are used primarily in two areas:

 1) data integrity checksums (no security required)
 2) in-line data deduplication (some security required)

The latter is the only one that warrants some security concerns, in
order to prevent an attacker generating a collision block to
intentionally corrupt on-disk data, however, this attack is in itself
highly impractical, even if the hash used were completely and utterly
broken. And even so, it's very easy to tell ZFS to do bit-by-bit
comparison of the target blocks prior to deduplication, instantly
negating any potential security problems observed in the hash at a later
date during its life cycle.

> <https://blogs.oracle.com/bonwick/entry/zfs_end_to_end_data> mentions a
> Merkle tree of checksums, where the checksum function can be either
> Fletcher or SHA-256.  A collision-resistant hash of an entire system is
> indispensable if asymmetric authentication is needed, but are there common
> scenarios where that is needed?  If encryption is used in ZFS, then there
> is necessarily a symmetric encryption key that is being managed; why not
> use symmetric message authentication as well, and take advantage of the
> performance gain?

Illumos' ZFS (i.e. the open-source kind) doesn't have encryption.
Oracle's ZFS uses SHA-256 if encryption is enabled and it's very easy to
use that in Illumos as well, should encryption become available at some
point in the future. This comes back to my earlier argument, that ZFS
isn't a security protocol that's set in stone, but rather a dynamic
filesystem that can cope with structural changes on the fly.


----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cryptography mailing list