RE: how to use crypto openssl PMD for asymmetric encryption and decryption

["Kusztal, ArkadiuszX" <arkadiuszx.kusztal@intel.com>]

[-- Attachment #1: Type: text/plain, Size: 13707 bytes --]

Please consult, "length" information in rte_crypto_sym_op structure https://doc.dpdk.org/api/structrte__crypto__sym__op.html#aebb70c2aab3407a9f05334c47131a43b.

AES-CBC (or any CBC) is a block cipher -> source length should be multiple of the block size. Since DPDK does not append padding, it is user responsibility to make input data multiple of underlying block size.


From: Balakrishnan K <Balakrishnan.K1@tatacommunications.com>
Sent: Monday, June 6, 2022 2:32 PM
To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; users@dpdk.org
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Arik,
  I have referred the symmetric cryptodev test cases and wrote the sample.
I can encrypt the text as given in the example.
While trying to change the offset and the length the crypto operation failing with below errors.

process_openssl_cipher_encrypt() line 946: Process openssl cipher encrypt failed
USER1: Error sending packet for encryption

Example:
  I tried the offset value as 8 and length as 512 encryption failed.
Tried offset value as 8 and length as 496 (512-8) encryption working fine.
Dose it mean if we change the offset to multiples of 8 same offset value needs to be subtracted from the length (512-8 = 496)

In my case trying to encrypt the tcp payload the starting offset value is 42 and length of the payload is 82.

So, I have set the below value.

        sym_op->cipher.data.offset = 42;  (starting point of the data to be sent for crypto process)
        sym_op->cipher.data.length = 82; (length of the data)

encryption process not working.
Using         cipher_xform.cipher.algo = RTE_CRYPTO_CIPHER_AES_CBC;
        cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT;

can you help on this how set the proper offset and the length value.

Regards,
Bala



From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>
Sent: 31 May 2022 13:00
To: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Bala,

It is similar situation, it is the user who needs to decide where to start encryption process.
Please consult:
https://doc.dpdk.org/api/structrte__crypto__sym__op.html<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc.dpdk.org%2Fapi%2Fstructrte__crypto__sym__op.html&data=05%7C01%7CBalakrishnan.K1%40tatacommunications.com%7Cf67a05accad74ae8ba4b08da42d77d37%7C202104622c5e4ec8b3e20be950f292ca%7C0%7C0%7C637895790535001554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bO25b5ylXhvsD8EnoCbJvo9W5V%2BsIKPFwnwugemKW6k%3D&reserved=0>
https://doc.dpdk.org/guides/prog_guide/cryptodev_lib.html<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc.dpdk.org%2Fguides%2Fprog_guide%2Fcryptodev_lib.html&data=05%7C01%7CBalakrishnan.K1%40tatacommunications.com%7Cf67a05accad74ae8ba4b08da42d77d37%7C202104622c5e4ec8b3e20be950f292ca%7C0%7C0%7C637895790535001554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TBY5Dk0Gbh0NdGHYetubv%2FW3z4uCOhsqRhphpCvL7iQ%3D&reserved=0>
Please look into 'offset' and 'length' fields.

P.S. "encrypting the entire packets" -> it is usually not good idea to encrypt entire packets -> packets need to know where to travel, though authentication usually is done over the entire packet.
P.S. (2) Using asymmetric cryptography for network packet payload encryption is not usually good idea either, not to mention natural performance penalty and few additional security issues, size of the encrypted data is usually limited to the size = (key size - [additional options | paddings | etc])

Regards,
Arek

From: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>
Sent: Tuesday, May 31, 2022 8:14 AM
To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Arek,
   How about symmetric Cryptodev encryption .
In l2fwd_cryptodev example I could see the packets from Rx queue is fetched and passed to encryption.
Is symmetric encryption , encrypting the entire packets or payload section?

Regards,
Bala

From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>
Sent: 30 May 2022 17:52
To: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

For the Asym Cryptodev data to be encrypted it totally opaque -> it does not hold any information about data provided by the user, except for the algorithm parameters of course. So for example for the RSA, data that "asym_op->rsa.message.data" points to, will be encrypted up to the size of "asym_op->rsa.message.length" (provided size is in scope of possible encryption sizes) regardless if it is TLS or IKE or anything else.



From: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>
Sent: Monday, May 30, 2022 1:59 PM
To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Arek,
    Thanks for your inputs.
I wrote the sample application to encrypt the text from a file also decrypting the same.
Now next step is to encrypt the incoming packets.
I have one basic doubt. During rte_cryptodev_enqueue_burst call with operation type as RTE_CRYPTO_ASYM_OP_ENCRYPT.
For the incoming packet.
what is being encrypted ,Is it entire packet or the payload(data section) ?

Regards,
Bala

From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>
Sent: 25 May 2022 16:13
To: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Bala,

To fill the below struct do I need to extract Publickey exponent , Private key exponent etc.
[Arek] - yes, you need to convert keys into big-endian unsigned integer.
In the file "test_cryptodev_rsa_test_vectors.h" there are few examples.

Regards,
Arek


From: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>
Sent: Wednesday, May 25, 2022 12:08 PM
To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Arek,
    I have public and private key with me which can be used for encryption/decryption.

To fill the below struct do I need to extract Publickey exponent , Private key exponent etc.
The reason why I am asking is, in openssl for encryption we will use key directly with the exposed API.
Example :

RSA_private_encrypt(strlen(msg), (unsigned char *)msg, encrypted, rsa, RSA_PKCS1_PADDING);

Here in dpdk the rsa struct looks different .

Thanks in advance.

struct rte_crypto_rsa_xform {
rte_crypto_param n;
        /**< n - Modulus
         * Modulus data of RSA operation in Octet-string network
         * byte order format.
         */

        rte_crypto_param e;
        /**< e - Public key exponent
         * Public key exponent used for RSA public key operations in Octet-
         * string network byte order format.
         */

        enum rte_crypto_rsa_priv_key_type key_type;

        __extension__
        union {
                rte_crypto_param d;
                /**< d - Private key exponent
                 * Private key exponent used for RSA
                 * private key operations in
                 * Octet-string  network byte order format.
                 */

                struct rte_crypto_rsa_priv_key_qt qt;
                /**< qt - Private key in quintuple format */
        };
};


Regards,
Bala
From: Balakrishnan K
Sent: 24 May 2022 17:42
To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Arek,
  Thanks for the detailed explanation.

Regards,
Bala

From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>
Sent: 24 May 2022 14:44
To: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption


I should use

debug_hexdump(stdout, "encrypted message", asym_op->rsa.cipher.data,

                      asym_op->rsa.cipher.length);

to check the encrypted message for the input given?

Yes, currently it works this way. The same way output for decryption will be placed in asym_op->rsa.message.data and input in asym_op->rsa.cipher.data.
More explanations can be found in rte_crypto_asym.h file
https://doc.dpdk.org/api/structrte__crypto__rsa__op__param.html<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc.dpdk.org%2Fapi%2Fstructrte__crypto__rsa__op__param.html&data=05%7C01%7CBalakrishnan.K1%40tatacommunications.com%7Cf67a05accad74ae8ba4b08da42d77d37%7C202104622c5e4ec8b3e20be950f292ca%7C0%7C0%7C637895790535001554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mPkeI59HaahrnKQDuXONtJmROezh0VIdIc1JutBhjRI%3D&reserved=0>.

From: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>
Sent: Tuesday, May 24, 2022 7:24 AM
To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi Arek,
   Thanks for quick response.
I am using resulted output vector to verify the encrypted message.

I thought the encrypted data will be in the asym_op->rsa.message.data after rte_cryptodev_enqueue_burst and rte_cryptodev_enqueue_burst call with operation type RTE_CRYPTO_ASYM_OP_ENCRYPT.

So ,I checked the hex_dump of asym_op->rsa.message.data.



Code snippet:

asym_op = result_op->asym;

debug_hexdump(stdout, "encrypted message", asym_op->rsa.message.data,

                      asym_op->rsa.message.length);







Encrypted data will be placed in asym_op->rsa.cipher.data after crypto operation is my understanding is correct ?

I should use

debug_hexdump(stdout, "encrypted message", asym_op->rsa.cipher.data,

                      asym_op->rsa.cipher.length);

to check the encrypted message for the input given?





Regards,

Bala



From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com<mailto:arkadiuszx.kusztal@intel.com>>
Sent: 23 May 2022 18:15
To: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>; users@dpdk.org<mailto:users@dpdk.org>
Subject: RE: how to use crypto openssl PMD for asymmetric encryption and decryption


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Bala,

Ciphertext will be written into asym_op->rsa.cipher.data (not message.data) by the PMD, here you are using same address for both hex dumps.
Although there is a bug in debug_hexdump in this function which may cause this confusion.

Plus, the test you are referring is PWCT test (Pairwise conditional test) -> it will encrypt, then decrypt.
Please take a look into this comment in queue_ops_rsa_enc_dec function:
/* Use the resulted output as decryption Input vector*
So above this line there is an encryption part.
Below is decryption.

Regards,
Arek

From: Balakrishnan K <Balakrishnan.K1@tatacommunications.com<mailto:Balakrishnan.K1@tatacommunications.com>>
Sent: Monday, May 23, 2022 1:33 PM
To: users@dpdk.org<mailto:users@dpdk.org>
Subject: how to use crypto openssl PMD for asymmetric encryption and decryption

Hi All,
   I am new to dpdk. Planning to use openssl crypto PMD for encrypting/decrypting  the packets.
Couldn't find much documents on openssl PMD for asymmetric encryption/decryption.
Any one please point me in the right document.

I have tried to run the test cases wrote for asymmetric crypto using openssl virtual PMD.
But the output of particular test case is same after the encryption done.

File : app/test/test_cryptodev_asym.c
Test executable: ./app/test/dpdk-test
Test case : test_rsa_enc_dec

Input given to encryption:
message at [0x1894e60], len=20
00000000: F8 BA 1A 55 D0 2F 85 AE 96 7B B6 2F B6 CD A8 EB | ...U./...{./....
00000010: 7E 78 A0 50                                     | ~x.P

After processing the output also looks like same :
encrypted message exist at [0x1894e60], len=20
00000000: F8 BA 1A 55 D0 2F 85 AE 96 7B B6 2F B6 CD A8 EB | ...U./...{./....
00000010: 7E 78 A0 50


Regards,
Bala

[-- Attachment #2: Type: text/html, Size: 32901 bytes --]