[HN Gopher] Google open sourced PSP (hardware cryptographic offl...
___________________________________________________________________
Google open sourced PSP (hardware cryptographic offload)
Author : 0123456
Score : 77 points
Date : 2022-05-19 16:51 UTC (6 hours ago)
(HTM) web link (cloud.google.com)
(TXT) w3m dump (cloud.google.com)
| SEJeff wrote:
| It is a real shame that they couldn't have made this work
| with/for wireguard.
| hujun wrote:
| according to the blog, one key driver for inventing a new
| protocol is Google wants to do per-connection encryption, (e.g.
| using different keys for each TCP/UDP connection), I don't
| think wireguard (which is interface based model) could be
| easily modified to support that.
| cmeacham98 wrote:
| I don't see why it couldn't, both sides just need some way to
| get the key to use for each connection (which is a problem
| their current solution already has to solve somehow).
| remus wrote:
| It sounds like they were working on this before wireguard would
| have been a viable option.
| matthewaveryusa wrote:
| Is the ICV the same thing as the authtag? (rhetorical question, I
| looked at the code: yes it is) I've never seen the authtag/mac
| for aes-gcm referred to as ICV -- any context on why it's used
| here? is it a more general term cryptographers use, or is it the
| new way (or old way) to refer to authtags ?
|
| wrt IV reuse the protocol doc says the NICs use a picosecond
| timestamp counter -- do NICs really have picosecond resolution
| clocks, or is it nanoseconds + monotonically increasing counter
| within the nanosecond?
| sophacles wrote:
| IPsec calls the tag an ICV too. (see RFC 7296 ss 3.3 for
| example) It's short for Integrity Check Value.
|
| edit: an even better RFC for this question is 4106 which is
| about aes-gcm in ESP, it calls the tag an ICV also.
| allanrbo wrote:
| TLS uses certificate authorities and a public key infrastructure
| to ensure the authenticity of a peer. Is authenticity also
| something PSP provides, or is it focused on confidentiality and
| integrity?
| 0123456 wrote:
| Great question. The master key of PSP is stored in the NIC and
| shipped with the device. That's how authenticity is provided.
| Other than that, it's focused on confidentiality and integrity.
| wmf wrote:
| I wonder if this is being released now because it's in Mount
| Evans.
| nimbius wrote:
| "To support this, we are making PSP open source to encourage
| broader adoption by the community and hardware implementation by
| additional NIC vendors. "
|
| ...so...no nic vendors mentioned?...what are we supposed to do
| with PSP but wait for a private company to build a PSP nic?
| sophacles wrote:
| You don't have an in house ASIC team?! That's ok -- just call
| your HW provider and have them whip something up to include it
| when building out your next round of datacenters.
| joshuamorton wrote:
| Title should probably be "cryptographic" to disambiguate from
| something cryptocurrency related, unfortunately.
| [deleted]
| cglong wrote:
| Considering emailing the mods about this, since it's (IMO)
| misleading, as well as heavily editorialized.
| 0123456 wrote:
| Done.
___________________________________________________________________
(page generated 2022-05-19 23:01 UTC)