RE: Instant chats and central servers

      I don't see how that can be. A P3-600 can RC4 encrypt over
60MB/sec in 64 byte blocks. That figure drops to only 45MB/sec in 8
byte blocks. This is a slight overstatement because cache
effectiveness is increased by repeatedly encrypting the same stream.

What crack are you smoking? RC4 is a stream cipher, it does not get
applied to block sizes of any kind. Perhaps this shows the performance of
the surrounding components feeding data to be encrypted in someone's
benchmark, but it does not relate to the algorithm itself. Stream ciphers
are just stateful pseudo random number generator, with the results being
XOR'd into the plaintext on a byte by byte basis. This makes them
extremely fast and light weight, but as WEP has recently demonstrated for
us very vulnerable to "attack of the poorly implemented crypto".

Don't get me wrong I rather like RC4, I can write it off the top of my
head in 30 seconds, encrypt data at very high speeds, and it provides a
good level of security IF implemented correctly. The problem is I don't
trust it in other people's implementations unless I've double-checked it
myself, because it's real easy to mess up.

      If a chat server with a P3-733 has a throughput of, say, 8MB/sec
out and 3MB/sec in, encryption on all that traffic would eat less than
15% of the CPU. There would be some memory usage to store all the
encryption/decryption state information but memory is cheap.

That's a lot of chat! But the issue isn't really encryption of the bulk
data, even after you throw in good IV's, message authentication codes,
etc. The real issue is key exchange.

      If you used a dual processor machine and separated the actual
chat layer from the I/O layer, you could put the encryption in the I/O
layer. This is actually not that terribly hard to hack into Ircd.

Terribly hard to hack, no.
Terrible hack, yes.

      PS: If you use public-key encryption to do the initial key
exchange, that can be significant if you have a high rate of
connection establishment. But if you assume that everybody has a
password already known to both them and the chat server, it's not a
problem.

And so unbelievably easy to defeat you might as well not have bothered.
Bad crypto is almost worse then no crypto because it gives you a false
sense of security.

First think about what you're actually wanting to protect with crypto.

Is it the communication between the server and user, so that noone can
intercept (OR inject!) data? It certainly isn't a good thing when someone
can compromise a machine local to you and intercept/inject commands into
your irc session, as many efnet opers seem to have found out. It also
isn't a good thing when you can compromise a machine local to a server,
and intercept/inject commands which can destroy the entire structure of
the chat network. For example, it is easy enough to capture the SJOIN
flood of a server synchronizing to the network (which itself is an archiac
design, but irc is good at those), then hijack the tcp session and play
back that list with slight modifications so that you blast the entire
state database on all servers and do things like deop every channel on the
network, etc. Obviously this is an area where real crypto provides many
benefits.

Is it for end-to-end users across the network, so people can talk
privately without the fear of an unethical server admin (or admins)
snooping on their conversations? Sure it's possible to establish a direct
client to client tcp connection, but that doesn't scale very well for
things like meetings, which IRC would be rather well suited for.

If you do not have good key exchange mechanisms in place, none of this can
be accomplished, and as we all know public-key type exchanges suck CPU
left and right. It may work reasonably well for your company's internal
server with 100 people, but it probably wouldn't scale to many thousands
or hundreds of thousands of users on public chat networks very well. If
you'd like a suggestion on how to give it a shot though, I'd say your best
bet is Diffie-Hellman where you can pre-generate your primes on the
server, re-use them, and shift the work of random number generation to the
individual client. It's not a perfect mutual-exchange, but it puts the
ball of security back in the court of the connecting client.

> I don't see how that can be. A P3-600 can RC4 encrypt over
> 60MB/sec in 64 byte blocks. That figure drops to only 45MB/sec in 8
> byte blocks. This is a slight overstatement because cache
> effectiveness is increased by repeatedly encrypting the same stream.

What crack are you smoking? RC4 is a stream cipher, it does not get
applied to block sizes of any kind. Perhaps this shows the performance of
the surrounding components feeding data to be encrypted in someone's
benchmark, but it does not relate to the algorithm itself. Stream ciphers
are just stateful pseudo random number generator, with the results being
XOR'd into the plaintext on a byte by byte basis. This makes them
extremely fast and light weight, but as WEP has recently demonstrated for
us very vulnerable to "attack of the poorly implemented crypto".

  Perhaps I wasn't clear. The figures I presented reflect the fact that when
you add encryption, much of the cost of the encryption/decryption is the
overhead of entering and exiting the decryption algorithm. Since IRC
typically results in chunks of about 64 bytes, it's important to test using
chunks of that size.

  For example, if you use OpenSSL and type 'openssl speed rc4', it will test
with variable sized 'blocks'. Performance will be less with smaller blocks
simply because you have to enter and exit a loop more often.

Don't get me wrong I rather like RC4, I can write it off the top of my
head in 30 seconds, encrypt data at very high speeds, and it provides a
good level of security IF implemented correctly. The problem is I don't
trust it in other people's implementations unless I've double-checked it
myself, because it's real easy to mess up.

  That's why I use the OpenSSL implementation. I've seen some *very* subtle
bugs in other implementations.

If you do not have good key exchange mechanisms in place, none of this can
be accomplished, and as we all know public-key type exchanges suck CPU
left and right. It may work reasonably well for your company's internal
server with 100 people, but it probably wouldn't scale to many thousands
or hundreds of thousands of users on public chat networks very well. If
you'd like a suggestion on how to give it a shot though, I'd say your best
bet is Diffie-Hellman where you can pre-generate your primes on the
server, re-use them, and shift the work of random number generation to the
individual client. It's not a perfect mutual-exchange, but it puts the
ball of security back in the court of the connecting client.

  Actually, there are lots of simple ways to do this. What ConferenceRoom
does, for example, is have the chat server generate a random key/ID pair
(using a cryptographically strong RNG of course). The key and ID are sent to
the client using a secure web server. When the client connects back to the
chat server, he passes his ID, and begins using blowfish encryption with the
key. This way, the chat client can authenticate the web server (since its
SSL key is signed), and neither the chat server nor the chat client need to
do any complex PK work.

  But you are 100% right, bad crypto is *much* worse than no crypto.

  DS

> What crack are you smoking? RC4 is a stream cipher, it does not get
> applied to block sizes of any kind. Perhaps this shows the performance of
> the surrounding components feeding data to be encrypted in someone's
> benchmark, but it does not relate to the algorithm itself. Stream ciphers
> are just stateful pseudo random number generator, with the results being
> XOR'd into the plaintext on a byte by byte basis. This makes them
> extremely fast and light weight, but as WEP has recently demonstrated for
> us very vulnerable to "attack of the poorly implemented crypto".

  Perhaps I wasn't clear. The figures I presented reflect the fact
that when you add encryption, much of the cost of the
encryption/decryption is the overhead of entering and exiting the
decryption algorithm. Since IRC typically results in chunks of about
64 bytes, it's important to test using chunks of that size.

  For example, if you use OpenSSL and type 'openssl speed rc4', it
will test with variable sized 'blocks'. Performance will be less with
smaller blocks simply because you have to enter and exit a loop more
often.

Well sure if you make function calls a few million times more you'll see
some impact in performance. That has nothing to do with the crypto, that's
just the performance impact of writing non-inlined functions in C. I just
benchmarked 106MB/s on a p3 1GHz but that only shows performance of a
little addition, modulus, XOR, and changing 2 numbers in a state array.

Anyways, I personally doubt any existing IRC server could even come close
to pushing enough traffic to reach a bottleneck due to cpu use of a
private key cipher for a dozen others reasons.

  Actually, there are lots of simple ways to do this. What
ConferenceRoom does, for example, is have the chat server generate a
random key/ID pair (using a cryptographically strong RNG of course).
The key and ID are sent to the client using a secure web server. When
the client connects back to the chat server, he passes his ID, and
begins using blowfish encryption with the key. This way, the chat
client can authenticate the web server (since its SSL key is signed),
and neither the chat server nor the chat client need to do any complex
PK work.

And then your bottleneck it in the SSL web server. Again, this works fine
for your product, or for at most a few hundred people using an internal
office chat server, but not for hundreds of thousands of people using
large connected chat infrastructures. To quote Vijay, "It does not scale".

But at any rate, this is becoming as off-topic as requests for an ISDN
provider in Detriot, though I can only hope it's slightly more interesting
then trying to figure out the correct way to bitch at people in foreign
countries.