New crypto discussion #3918
Replies: 82 comments 5 replies
-
The first question should be: When is Mumble 1.4 going to be released? It took 10 years to go from Mumble 1.2 to Mumble 1.3. Maybe in 10 years there will be a lot better crypto technology and it's better to decide when Mumble 1.4 release is nearby. In 10 years, assuming OpenSSL is still relevant even very old Ubuntus are going to ship with a new version of it. Is there any issue with any other OS? I say:
|
Beta Was this translation helpful? Give feedback.
-
OpenSSL changelog 1.1.0:
Ubuntu 18.04 LTS has a libssl1.1 package in its repo, so it looks like it supports it to me. Just gotta install it in case it's not installed by default, what's wrong with that? |
Beta Was this translation helpful? Give feedback.
-
Ubuntu 16.04 will have it's end of life in april 2021. So that's almost another 1,5 years. THough apparently it is not even listed on Ubuntu's website for download anymore... Can't we statically link to OpenSSL and thus don't care what packages are available on the user's OS? |
Beta Was this translation helpful? Give feedback.
-
@trudnorx Mumble 1.4 is possibly going to be released in 2020. Changing the code is not an issue, even with OpenSSL we would have to rewrite it, because we're not using the EVP interface right now. As for the performance and testing, I agree. wolfCrypt would've been a perfect replacement if it wasn't for the optimizations issue and maybe also the license. @Krzmbrzl That's a valid option, yes. The issue is that also Qt uses OpenSSL, meaning that we would have to link to two different versions of the same library... |
Beta Was this translation helpful? Give feedback.
-
And Qt also links statically? Why do we need different versions then? Does Qt use a version that is too old? |
Beta Was this translation helpful? Give feedback.
-
Qt uses the version provided by the distribution (unless we link to our own Qt). |
Beta Was this translation helpful? Give feedback.
-
Ah and I assume this would make things complicated once we start statically linking to another version of OpenSSL 💡 |
Beta Was this translation helpful? Give feedback.
-
Problem with statically linking OpenSSL is that it wouldn't get security updates. |
Beta Was this translation helpful? Give feedback.
-
Indeed. One thing we could do is write an implementation for OpenSSL and one for libsodium, using the latter only when https://cmake.org/cmake/help/latest/module/CheckFunctionExists.html |
Beta Was this translation helpful? Give feedback.
-
And as far as I understand these things are OR. So it's (uses OpenSSL) OR (free source) OR (noncommercial AND nonmilitary). So what's the problem with just using OCB3?
|
Beta Was this translation helpful? Give feedback.
-
The point about patents is that Mumble uses a BSD license which grants rights that are incompatible with those patents. Thus for people using mumble commercially, this would be a problem Using libsodium as a backup solution sounds good to me. Though I don't know how much effort this would be |
Beta Was this translation helpful? Give feedback.
-
As far as I understand that wouldn't be a problem because there is a patent grant for programs using OpenSSL. So even if they make commercial software based on Mumble and don't release the source, there is still no patent problem. |
Beta Was this translation helpful? Give feedback.
-
Hm I'm far from being an lawyer but I guess you could be correct. I don't know though if this license allows OpenSSL to implement it and does not grant further permission to the party using OpenSSL... |
Beta Was this translation helpful? Give feedback.
-
Also, OCB was introduced in OpenSSL 1.1 (https://www.openssl.org/docs/manmaster/man3/EVP_aes_256_ocb.html), meaning that the compatibility issue would remain.
Our current implementation doesn't make use of AES-NI, meaning that only the higher bits (256 instead of 128) can lower the performance. |
Beta Was this translation helpful? Give feedback.
-
It allows all those permissions to the party using OpenSSL. Just read it. Read points 1.3, 1.4 and 2.1. There is no patent problem. |
Beta Was this translation helpful? Give feedback.
-
Afaik there is not
That way you'd still be stuck on a specific cipher for a given transport protocol. If you need to change the cipher (because it is deemed un-secure), you'd be out of luck. Imo that belongs into a separate issue though ☝️ |
Beta Was this translation helpful? Give feedback.
-
You just negotiate a name that defines the transport and the cipher, like: udp-aes128-ocb |
Beta Was this translation helpful? Give feedback.
-
@streaps I'm tracing the It looks like only few places referred to this field.
Read:
Therefore, I believe it can be deleted without much to worry about. What bothers me is Lines 2020 to 2021 in e6f9883 I think this part is certainly deprecated and need to be removed in the next version. Also, I discovered there're also many places in our proto has Opus field. Like UserStats and CodecVersion. I think we only need to keep the one inside CodecVersion. Other duplicated Opus fields should be removed. I will open another issue regarding this. |
Beta Was this translation helpful? Give feedback.
-
@streaps However, UDP ping packets is also encrypted, so it does not entirely belong to audio. Currently, I still decide that I will go with adding a supported_cipher field in |
Beta Was this translation helpful? Give feedback.
-
@TerryGeng, I don't like the name CryptoModes as it suggest a "mode of operation" in crypto speak (IMO). I also feel that CryptoModes in the Version packet is the equivalent of "celt_versions" and "opus" fields the in Authenticate packet. More like a patchwork of stuff lacking any deliberate design. |
Beta Was this translation helpful? Give feedback.
-
Keep in mind that OCB patents are about to expire as well. |
Beta Was this translation helpful? Give feedback.
-
There are no real problems with the OCB patents anyway. It's only FUD (yes, some libre software fanatics can spread that too). |
Beta Was this translation helpful? Give feedback.
-
According to https://en.wikipedia.org/wiki/OCB_mode#Patents it is only allowed to use OCB in software licensed under GPL (which Mumble is not) or in a non-commercial setting. There's the problem: Right now it is currently not possible to legally use Mumble commercially without fiddling with those patents. |
Beta Was this translation helpful? Give feedback.
-
According to the same Wikipedia page: and according to the linked license page: also: |
Beta Was this translation helpful? Give feedback.
-
Why not LibreSSL? |
Beta Was this translation helpful? Give feedback.
-
It appears to be in vcpkg: https://github.com/microsoft/vcpkg/tree/master/ports/libressl If their licensing is compatible it might be worth a discussion. |
Beta Was this translation helpful? Give feedback.
-
To provide a bit of historical context: When we first implemented the crypt layer, we reached out to the inventor of OCB about the licensing. As a result, Mumble has an explicit permission, direct from the inventor, to include OCB under BSD (as well as GPL) on a royalty-free basis. |
Beta Was this translation helpful? Give feedback.
-
But it is missing in Debian GNU/Linux and perhaps all derivatives. |
Beta Was this translation helpful? Give feedback.
-
Okay let's open the DTLS box again. @jedisct1 and @streaps you voiced concerns about DTLS being slow, insecure and too much overhead. Could you perhaps elaborate on that (preferably with some sources linked)? When I read the DTLS specs it did not appear as if it was doing something very different than what we are doing right now except that it does not require a separate TCP channel to get things done 👀 |
Beta Was this translation helpful? Give feedback.
-
We're currently using AES-128-OCB as cipher for the UDP channel (the TCP channel uses TLS, handled by Qt).
While there aren't known security issues, we believe it's time to switch to a better cipher.
We initially planned to switch from OCB to OCB3, but the patents issues would have remained.
AES-256-AEGIS, AES-256-GCM and ChaCha20-Poly1305 are the proposed alternatives.
@jedisct1 (libsodium's maintainer) recommended AES-256-AEGIS for better performance and ChaCha20-Poly1305 for better compatibility.
Our baseline for Mumble 1.4 is Ubuntu 18.04, which provides:
Benchmarks
https://github.com/mumble-voip/crypto-benchmark is the tool we used to measure performance.
AMD Ryzen 7-3800X
Intel Core i5-4690
AMD FX-6300
x86_64 CPU on Travis CI
ARM64 CPU on Travis CI
Thoughts
Please note that when talking about performance I'm only referring to ChaCha20-Poly1305, which is the cipher we're going to use.
NSS
Advantages
Disadvantages
libsodium
Advantages
Disadvantages
wolfCrypt
Advantages
Disadvantages
Beta Was this translation helpful? Give feedback.
All reactions