Symmetric Ciphers

[optnfast]

At present crypto11 only supports asymmetric keys. We would like to extend it to support symmetric ciphers too. This issue covers the relevant confidentiality interfaces and the issues that they raise.

• For MACs, see Symmetric MAC support #7.
• For the implementation, see the experimental symmetric branch.

Throughout I will discuss encryption, with decryption left implicit, unless it's actually different in some relevant way.

Interfaces

cipher.Block

Encrypts or decrypts single blocks in a stateless way. This could be implemented by calling C_EncryptInit and C_Encrypt with a single block and a CKM_*_ECB mechanism.

The alternative approach of using C_EncryptInit once and multiple calls to C_EncryptUpdate will not work; this sequence requires a final C_EncryptFinal but the interface does not include any way for the caller to signal that it is finished.

cipher.BlockMode

Encrypts or decrypts multiple blocks in a stateful way. We would like to turn each call to CryptBlocks into a call to C_EncryptUpdate but again we face the issue that we have no idea when to call C_EncryptFinal. Without this our only option is to fall back to the native block modes (cipher.NewGCMEncrypter etc) with the cipher.Block discussed above. See below for a discussion of the performance impact.

cipher.AEAD

Encrypts or decrypts whole messages. This is much more promising, we can use the PKCS#11 functions in an idiomatic way and don't have to guess when to call C_EncryptFinal.

cipher.Stream

Encrypts or decrypts message fragments in a stateful way. Here we face the same issue as with BlockMode that we do not know when to call C_EncryptFinal , but without the slow implementation of cipher.Block to fall back on.

Performance Issues

On my experimental branch, the native version (using Go's native cipher.NewCBCEncrypter, so making a call to the HSM with each block) takes hundreds of times as long as an idiomatic implementation. For instance encrypting 64Kbyte messages using an emulated nShield HSM:

BenchmarkCBC/Native-8         	       2	 534374921 ns/op
BenchmarkCBC/Idiomatic-8      	    1000	   1155002 ns/op

Or using SoftHSM2:

BenchmarkCBC/Native-8         	      10	 127608341 ns/op
BenchmarkCBC/Idiomatic-8      	   10000	    384101 ns/op

Our issues could, superficially, be solved if cipher.Block, cipher.BlockMode and cipher.Stream had Close() methods. However, given that this isn't already true, deployment of a change could be painful, as all code using these would have to be updated to call the new method, before it could correctly use crypto11.

See golang/go#26787 for further discussion on this point.

References

• PKCS#11 2.40 s5.8 Encryption Functions
• Go crypto/cipher