[HN Gopher] Google open sourced PSP (hardware cryptographic offl... ___________________________________________________________________ Google open sourced PSP (hardware cryptographic offload) Author : 0123456 Score : 77 points Date : 2022-05-19 16:51 UTC (6 hours ago) (HTM) web link (cloud.google.com) (TXT) w3m dump (cloud.google.com) | SEJeff wrote: | It is a real shame that they couldn't have made this work | with/for wireguard. | hujun wrote: | according to the blog, one key driver for inventing a new | protocol is Google wants to do per-connection encryption, (e.g. | using different keys for each TCP/UDP connection), I don't | think wireguard (which is interface based model) could be | easily modified to support that. | cmeacham98 wrote: | I don't see why it couldn't, both sides just need some way to | get the key to use for each connection (which is a problem | their current solution already has to solve somehow). | remus wrote: | It sounds like they were working on this before wireguard would | have been a viable option. | matthewaveryusa wrote: | Is the ICV the same thing as the authtag? (rhetorical question, I | looked at the code: yes it is) I've never seen the authtag/mac | for aes-gcm referred to as ICV -- any context on why it's used | here? is it a more general term cryptographers use, or is it the | new way (or old way) to refer to authtags ? | | wrt IV reuse the protocol doc says the NICs use a picosecond | timestamp counter -- do NICs really have picosecond resolution | clocks, or is it nanoseconds + monotonically increasing counter | within the nanosecond? | sophacles wrote: | IPsec calls the tag an ICV too. (see RFC 7296 ss 3.3 for | example) It's short for Integrity Check Value. | | edit: an even better RFC for this question is 4106 which is | about aes-gcm in ESP, it calls the tag an ICV also. | allanrbo wrote: | TLS uses certificate authorities and a public key infrastructure | to ensure the authenticity of a peer. Is authenticity also | something PSP provides, or is it focused on confidentiality and | integrity? | 0123456 wrote: | Great question. The master key of PSP is stored in the NIC and | shipped with the device. That's how authenticity is provided. | Other than that, it's focused on confidentiality and integrity. | wmf wrote: | I wonder if this is being released now because it's in Mount | Evans. | nimbius wrote: | "To support this, we are making PSP open source to encourage | broader adoption by the community and hardware implementation by | additional NIC vendors. " | | ...so...no nic vendors mentioned?...what are we supposed to do | with PSP but wait for a private company to build a PSP nic? | sophacles wrote: | You don't have an in house ASIC team?! That's ok -- just call | your HW provider and have them whip something up to include it | when building out your next round of datacenters. | joshuamorton wrote: | Title should probably be "cryptographic" to disambiguate from | something cryptocurrency related, unfortunately. | [deleted] | cglong wrote: | Considering emailing the mods about this, since it's (IMO) | misleading, as well as heavily editorialized. | 0123456 wrote: | Done. ___________________________________________________________________ (page generated 2022-05-19 23:01 UTC)