Truncating SHA2 hashes vs shortening a MAC for ZFS Crypto
Darren J Moffat
Darren.Moffat at Sun.COM
Fri Oct 30 13:30:03 EDT 2009
For the encryption functionality in the ZFS filesystem we use AES in CCM
or GCM mode at the block level to provide confidentiality and
authentication. There is also a SHA256 checksum per block (of the
ciphertext) that forms a Merkle tree of all the blocks in the pool.
Note that I have to store the full IV in the block. A block here is a
ZFS block which is any power of two from 512 bytes to 128k (the default).
The SHA256 checksums are used even for blocks in the pool that aren't
encrypted and are used for detecting and repairing (resilvering) block
corruption. Each filesystem in the pool has its own wrapping key and
data encryption keys.
Due to some unchangeable constraints I have only 384 bits of space to
fit in all of: IV, MAC (CCM or GCM Auth Tag), and the SHA256 checksum,
which best case would need about 480 bits.
Currently I have Option 1 below but I the truncation of SHA256 down to
128 bits makes me question if this is safe. Remember the SHA256 is of
the ciphertext and is used for resilvering.
Option 1
--------
IV 96 bits (the max CCM allows given the other params)
MAC 128 bits
Checksum SHA256 truncated to 128 bits
Other options are:
Option 2
--------
IV 96 bits
MAC 128 bits
Checksum SHA224 truncated to 128 bits
Basically if I have to truncate to 128 bits is it better to do
it against SHA224 or SHA256 ?
Option 3
--------
IV 96 bits
MAC 128 bits
Checksum SHA224 or SHA256 truncated to 160 bits
Obviously better than the 1 and 2 but how much better ?
The reason it isn't used just now is because it is slightly
harder to layout given other constrains in where the data lives.
Option 4
--------
IV 96 bits
MAC 32 bits
Checksum SHA256 at full 256 bits
I'm pretty sure the size of the MAC is far to small.
Option 5
--------
IV 96 bits
MAC 64 bits
Checksum SHA224 at full 224 bits
This feels like the best compromise, but is it ?
Option 6
--------
IV 96 bits
MAC 96 bits
Checksum SHA224 or SHA256 truncated to 192 bits
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list