tech-install archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: HTTPS trust anchors in sysinst
>>> [*] We should _also_ bake a public signature verification key into
>>> the installers that can verify a signature on the sets which
>>> can in turn be made only by TNF -- [...]
> Enabling HTTPS validation is low-hanging fruit for modern systems in
> a modern world to defend against a large class of plausible threats
> -- namely, MITM on the network between you and cdn.netbsd.org.
How large is the actual threat? Has anyone been hit with such an
attack? I haven't, despite routinely using unsecured connections to
transfer data. (Not being foolhardly, I routinely check integrity with
the likes of sha256 after transferring. But I have never had that
check fail.)
I know the plural of "anecdote" is not "data". But I do find myself
wondering whether this is a practical risk or just - "just", heh - a
potential one.
Regardless, which of those threats does the TNF signature verification
not address? (See also below.)
Not that it matters to me in a practical sense. It is highly unlikely
I am going to be doing an install of any relevant version except,
possibly, on a relatively modern machine for work.
> I am planning to the [*] part but it is not going to be ready for
> netbsd-10, whereas HTTPS validation will be -- in base, at least.
This is, indeed, a reasonable argument for going with the latter,
especially since you are also working on the former - though I would
argue that once the former works, the latter should go away, especially
if the signature can be verified significantly faster than the PK
crypto involved in HTTPS.
>> Also, if you're doing public-key crypto - for anything - in the
>> installers, this will drastically, I am tempted to say
>> catastrophically, slow down installation on low-end machines, like a
>> MicroVAX-II or Sun-3. (Of course, NetBSD might be fine with that.
>> I just think it should be at least thought about.)
> Can you please do the following tests on any low-end machines of
> interest?
Well, the slowest machines I have in routine live use are my
SPARCstation-20s. They are, unfortunately, less than terrifically
useful for this purpose, because they are running an OS based on 1.4T:
> 1. Run `openssl speed' and share the output.
openssl: Command not found.
The most plausible machine for this purpose is probably my shark. (I
think I still own one or two MicroVAXen, but I definitely do not have
one in bootable shape. I could try on my emulator, but that would be
basically the same 1.4T as the SPARCstations and hence useless here.)
openssl speed on the shark running 5.2 (with, to a first approximation,
nothing else running, of course) gives me
Doing md2 for 3s on 16 size blocks: 20020 md2's in 2.98s
Doing md2 for 3s on 64 size blocks: 11380 md2's in 3.00s
Doing md2 for 3s on 256 size blocks: 4140 md2's in 3.00s
Doing md2 for 3s on 1024 size blocks: 1174 md2's in 3.02s
Doing md2 for 3s on 8192 size blocks: 146 md2's in 2.89s
Doing md4 for 3s on 16 size blocks: 105864 md4's in 3.02s
Doing md4 for 3s on 64 size blocks: 96150 md4's in 3.00s
Doing md4 for 3s on 256 size blocks: 75482 md4's in 3.02s
Doing md4 for 3s on 1024 size blocks: 40554 md4's in 3.02s
Doing md4 for 3s on 8192 size blocks: 7607 md4's in 3.00s
Doing md5 for 3s on 16 size blocks: 88285 md5's in 3.00s
Doing md5 for 3s on 64 size blocks: 79619 md5's in 3.02s
Doing md5 for 3s on 256 size blocks: 61368 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 32118 md5's in 3.02s
Doing md5 for 3s on 8192 size blocks: 5837 md5's in 3.00s
Doing hmac(md5) for 3s on 16 size blocks: 197327 hmac(md5)'s in 3.02s
Doing hmac(md5) for 3s on 64 size blocks: 158790 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 256 size blocks: 99974 hmac(md5)'s in 3.02s
Doing hmac(md5) for 3s on 1024 size blocks: 40301 hmac(md5)'s in 3.02s
Doing hmac(md5) for 3s on 8192 size blocks: 6128 hmac(md5)'s in 3.00s
Doing sha1 for 3s on 16 size blocks: 67155 sha1's in 3.00s
Doing sha1 for 3s on 64 size blocks: 68716 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 45875 sha1's in 3.02s
Doing sha1 for 3s on 1024 size blocks: 19658 sha1's in 3.02s
Doing sha1 for 3s on 8192 size blocks: 3073 sha1's in 2.98s
Doing sha256 for 3s on 16 size blocks: 86972 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 53416 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 24453 sha256's in 3.02s
Doing sha256 for 3s on 1024 size blocks: 7720 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 1045 sha256's in 3.02s
Doing sha512 for 3s on 16 size blocks: 19509 sha512's in 3.02s
Doing sha512 for 3s on 64 size blocks: 19464 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 7188 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 2484 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 349 sha512's in 3.02s
Doing rmd160 for 3s on 16 size blocks: 17177 rmd160's in 3.00s
Doing rmd160 for 3s on 64 size blocks: 17132 rmd160's in 3.02s
Doing rmd160 for 3s on 256 size blocks: 14405 rmd160's in 3.00s
Doing rmd160 for 3s on 1024 size blocks: 8806 rmd160's in 3.02s
Doing rmd160 for 3s on 8192 size blocks: 1896 rmd160's in 3.02s
Doing rc4 for 3s on 16 size blocks: 1914255 rc4's in 3.00s
Doing rc4 for 3s on 64 size blocks: 554127 rc4's in 3.00s
Doing rc4 for 3s on 256 size blocks: 144519 rc4's in 3.00s
Doing rc4 for 3s on 1024 size blocks: 36527 rc4's in 3.02s
Doing rc4 for 3s on 8192 size blocks: 4578 rc4's in 3.02s
Doing des cbc for 3s on 16 size blocks: 337360 des cbc's in 3.00s
Doing des cbc for 3s on 64 size blocks: 89179 des cbc's in 3.02s
Doing des cbc for 3s on 256 size blocks: 22597 des cbc's in 3.00s
Doing des cbc for 3s on 1024 size blocks: 5666 des cbc's in 3.02s
Doing des cbc for 3s on 8192 size blocks: 709 des cbc's in 3.02s
Doing des ede3 for 3s on 16 size blocks: 125989 des ede3's in 3.00s
Doing des ede3 for 3s on 64 size blocks: 32200 des ede3's in 3.02s
Doing des ede3 for 3s on 256 size blocks: 8068 des ede3's in 3.00s
Doing des ede3 for 3s on 1024 size blocks: 2025 des ede3's in 3.02s
Doing des ede3 for 3s on 8192 size blocks: 253 des ede3's in 3.02s
Doing aes-128 cbc for 3s on 16 size blocks: 344521 aes-128 cbc's in 2.98s
Doing aes-128 cbc for 3s on 64 size blocks: 91135 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 23080 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 1024 size blocks: 5790 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 8192 size blocks: 721 aes-128 cbc's in 3.00s
Doing aes-192 cbc for 3s on 16 size blocks: 299322 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 64 size blocks: 78212 aes-192 cbc's in 3.02s
Doing aes-192 cbc for 3s on 256 size blocks: 19719 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 1024 size blocks: 4957 aes-192 cbc's in 3.02s
Doing aes-192 cbc for 3s on 8192 size blocks: 617 aes-192 cbc's in 3.00s
Doing aes-256 cbc for 3s on 16 size blocks: 262877 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 68343 aes-256 cbc's in 2.98s
Doing aes-256 cbc for 3s on 256 size blocks: 17291 aes-256 cbc's in 3.02s
Doing aes-256 cbc for 3s on 1024 size blocks: 4334 aes-256 cbc's in 3.02s
Doing aes-256 cbc for 3s on 8192 size blocks: 540 aes-256 cbc's in 3.02s
Doing aes-128 ige for 3s on 16 size blocks: 346055 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 64 size blocks: 93655 aes-128 ige's in 3.02s
Doing aes-128 ige for 3s on 256 size blocks: 23774 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 1024 size blocks: 6002 aes-128 ige's in 3.00s
Doing aes-128 ige for 3s on 8192 size blocks: 710 aes-128 ige's in 3.02s
Doing aes-192 ige for 3s on 16 size blocks: 298980 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 64 size blocks: 79664 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 256 size blocks: 20360 aes-192 ige's in 3.00s
Doing aes-192 ige for 3s on 1024 size blocks: 5112 aes-192 ige's in 3.02s
Doing aes-192 ige for 3s on 8192 size blocks: 610 aes-192 ige's in 3.02s
Doing aes-256 ige for 3s on 16 size blocks: 263597 aes-256 ige's in 3.00s
Doing aes-256 ige for 3s on 64 size blocks: 69904 aes-256 ige's in 3.02s
Doing aes-256 ige for 3s on 256 size blocks: 16963 aes-256 ige's in 2.88s
Doing aes-256 ige for 3s on 1024 size blocks: 4451 aes-256 ige's in 3.02s
Doing aes-256 ige for 3s on 8192 size blocks: 534 aes-256 ige's in 3.02s
Doing camellia-128 cbc for 3s on 16 size blocks: 437765 camellia-128 cbc's in 3.00s
Doing camellia-128 cbc for 3s on 64 size blocks: 114362 camellia-128 cbc's in 2.94s
Doing camellia-128 cbc for 3s on 256 size blocks: 29758 camellia-128 cbc's in 3.02s
Doing camellia-128 cbc for 3s on 1024 size blocks: 7472 camellia-128 cbc's in 3.02s
Doing camellia-128 cbc for 3s on 8192 size blocks: 927 camellia-128 cbc's in 3.00s
Doing camellia-192 cbc for 3s on 16 size blocks: 316701 camellia-192 cbc's in 3.02s
Doing camellia-192 cbc for 3s on 64 size blocks: 83009 camellia-192 cbc's in 3.00s
Doing camellia-192 cbc for 3s on 256 size blocks: 20958 camellia-192 cbc's in 3.02s
Doing camellia-192 cbc for 3s on 1024 size blocks: 5258 camellia-192 cbc's in 3.00s
Doing camellia-192 cbc for 3s on 8192 size blocks: 655 camellia-192 cbc's in 3.02s
Doing camellia-256 cbc for 3s on 16 size blocks: 316265 camellia-256 cbc's in 3.00s
Doing camellia-256 cbc for 3s on 64 size blocks: 82534 camellia-256 cbc's in 2.98s
Doing camellia-256 cbc for 3s on 256 size blocks: 21019 camellia-256 cbc's in 3.02s
Doing camellia-256 cbc for 3s on 1024 size blocks: 5271 camellia-256 cbc's in 3.02s
Doing camellia-256 cbc for 3s on 8192 size blocks: 655 camellia-256 cbc's in 3.00s
Doing rc2 cbc for 3s on 16 size blocks: 359748 rc2 cbc's in 3.00s
Doing rc2 cbc for 3s on 64 size blocks: 94717 rc2 cbc's in 3.02s
Doing rc2 cbc for 3s on 256 size blocks: 23974 rc2 cbc's in 3.00s
Doing rc2 cbc for 3s on 1024 size blocks: 6003 rc2 cbc's in 3.02s
Doing rc2 cbc for 3s on 8192 size blocks: 753 rc2 cbc's in 3.00s
Doing blowfish cbc for 3s on 16 size blocks: 803081 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 64 size blocks: 226665 blowfish cbc's in 3.02s
Doing blowfish cbc for 3s on 256 size blocks: 58388 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 1024 size blocks: 14756 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 8192 size blocks: 1843 blowfish cbc's in 3.00s
Doing cast cbc for 3s on 16 size blocks: 708696 cast cbc's in 3.02s
Doing cast cbc for 3s on 64 size blocks: 196888 cast cbc's in 3.02s
Doing cast cbc for 3s on 256 size blocks: 50592 cast cbc's in 2.98s
Doing cast cbc for 3s on 1024 size blocks: 12717 cast cbc's in 3.00s
Doing cast cbc for 3s on 8192 size blocks: 1590 cast cbc's in 3.00s
Doing 512 bit private rsa's for 10s: 549 512 bit private RSA's in 10.00s
Doing 512 bit public rsa's for 10s: 5380 512 bit public RSA's in 10.00s
Doing 1024 bit private rsa's for 10s: 92 1024 bit private RSA's in 10.08s
Doing 1024 bit public rsa's for 10s: 2003 1024 bit public RSA's in 9.97s
Doing 2048 bit private rsa's for 10s: 17 2048 bit private RSA's in 10.38s
Doing 2048 bit public rsa's for 10s: 612 2048 bit public RSA's in 10.00s
Doing 4096 bit private rsa's for 10s: 3 4096 bit private RSA's in 11.97s
Doing 4096 bit public rsa's for 10s: 173 4096 bit public RSA's in 10.02s
Doing 512 bit sign dsa's for 10s: 535 512 bit DSA signs in 9.94s
Doing 512 bit verify dsa's for 10s: 423 512 bit DSA verify in 10.02s
Doing 1024 bit sign dsa's for 10s: 198 1024 bit DSA signs in 10.00s
Doing 1024 bit verify dsa's for 10s: 161 1024 bit DSA verify in 10.02s
Doing 2048 bit sign dsa's for 10s: 62 2048 bit DSA signs in 10.05s
Doing 2048 bit verify dsa's for 10s: 51 2048 bit DSA verify in 10.17s
OpenSSL 0.9.9-dev 09 May 2008
built on: NetBSD 5.2
options:bn(32,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) aes(partial) blowfish(idx)
compiler: gcc version 4.1.3 20080704 (prerelease) (NetBSD nb3 20111107)
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
md2 107.33k 242.77k 353.28k 398.65k 413.76k
mdc2 0.00 0.00 0.00 0.00 0.00
md4 561.68k 2051.20k 6407.76k 13770.71k 20772.18k
md5 470.85k 1689.74k 5236.74k 10906.14k 15938.90k
hmac(md5) 1046.96k 3387.52k 8486.91k 13684.80k 16733.53k
sha1 358.16k 1465.94k 3894.38k 6675.16k 8435.27k
rmd160 91.61k 363.59k 1229.23k 2990.21k 5150.52k
rc4 10209.36k 11821.38k 12332.29k 12403.28k 12436.22k
des cbc 1799.25k 1892.63k 1928.28k 1923.97k 1926.01k
des ede3 671.94k 683.37k 688.47k 687.62k 687.28k
idea cbc 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00
rc2 cbc 1918.66k 2010.16k 2045.78k 2038.41k 2056.19k
rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00
blowfish cbc 4283.10k 4810.47k 4982.44k 5036.71k 5032.62k
cast cbc 3760.13k 4178.51k 4339.79k 4340.74k 4341.76k
aes-128 cbc 1847.07k 1944.21k 1959.29k 1966.08k 1968.81k
aes-192 cbc 1596.38k 1659.88k 1682.69k 1683.22k 1684.82k
aes-256 cbc 1402.01k 1465.62k 1467.85k 1471.67k 1466.92k
camellia-128 cbc 2334.75k 2491.63k 2526.19k 2537.23k 2531.33k
camellia-192 cbc 1680.32k 1770.86k 1779.15k 1794.73k 1779.32k
camellia-256 cbc 1686.75k 1769.94k 1784.33k 1789.85k 1788.59k
sha256 463.85k 1139.54k 2075.84k 2635.09k 2838.76k
sha512 103.51k 415.23k 613.38k 847.87k 948.06k
whirlpool 0.00 0.00 0.00 0.00 0.00
aes-128 ige 1845.63k 1987.62k 2028.71k 2048.68k 1928.73k
aes-192 ige 1594.56k 1699.50k 1737.39k 1735.86k 1657.08k
aes-256 ige 1405.85k 1483.56k 1510.44k 1511.40k 1450.62k
sign verify sign/s verify/s
rsa 512 bits 0.018215s 0.001859s 54.9 538.0
rsa 1024 bits 0.109545s 0.004977s 9.1 200.9
rsa 2048 bits 0.610294s 0.016340s 1.6 61.2
rsa 4096 bits 3.989583s 0.057894s 0.3 17.3
sign verify sign/s verify/s
dsa 512 bits 0.018575s 0.023678s 53.8 42.2
dsa 1024 bits 0.050505s 0.062209s 19.8 16.1
dsa 2048 bits 0.162046s 0.199449s 6.2 5.0
Based on a rudimentary test (ssh key generation with my ssh
implementation), the shark is faster than one of my SPARCstation-20s by
approximately a factor of six.
> 2. Build the attached rwverify.c with
> make rwverify DBG=3D-g\ -O2 LDLIBS=3D-lcrypto
> Then run it and share the output.
This does not build on the most recent version I run (5.2-based):
"/home/mouse/rwverify.c", line 180: undefined reference to `BN_bn2binpad'
"/home/mouse/rwverify.c", line 182: undefined reference to `BN_bn2binpad'
"/home/mouse/rwverify.c", line 184: undefined reference to `BN_bn2binpad'
"/home/mouse/rwverify.c", line 186: undefined reference to `BN_bn2binpad'
> 3. Download
> https://falcon-sign.info/Falcon-impl-20211101.zip
> (or
> http://www.NetBSD.org/~riastradh/tmp/20230827/Falcon-impl-20211101.zip
> if you insist on avoiding https),
It's not so much that I "insist on" avoiding it. It's that I have no
HTTPS support on my own machines, so I have to use a work machine, with
the concomitant increase in the inconvenience factor, to fetch over
HTTPS. (I've twice looked at adding HTTPS support to the lynx I use,
each time getting some four or five levels deep in yak shaving before
needing something ridiculously heavyweight for the goal, like perl, and
giving up. Someday I may build my own HTTPS implementation, but that
is...rather low priority for me.)
I found a work machine I could use and fetched it. It too refuses to
build on 1.4T, no surprise there. On 5.2, I had to fiddle the
Makefile, replacing clang with gcc, adding -Drestrict=, and linking
with -lm, after which it builds on the shark - I get nothing worse than
a bunch of "integer constant is too large ..." warnings. (It doesn't
build on i386, complaining about asms.) And, yes, I made sure it was
still using -O3. speed on the shark reports
time threshold = 2.0000 s
kg = keygen, ek = expand private key, sd = sign (without expanded key)
st = sign (with expanded key), vv = verify
sdc, stc, vvc: like sd, st and vv, but with constant-time hash-to-point
keygen in milliseconds, other values in microseconds
degree kg(ms) ek(us) sd(us) sdc(us) st(us) stc(us) vv(us) vvc(us)
256: 1330.00 83703.70 310000.00 277500.00 163846.15 163076.92 2040.63 3437.50
512: 2280.00 186363.64 592500.00 600000.00 338333.33 341666.67 4402.39 6250.00
1024: 9620.00 414000.00 1280000.00 1285000.00 713333.33 713333.33 9163.35 12613.64
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Home |
Main Index |
Thread Index |
Old Index