W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: authenticated unencrypted

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 18 Dec 2013 09:26:11 -0800
Message-ID: <CABkgnnW0E2O2kZCmBXf3gXgBGNDMUB=iGYsh9tsCJ_XOO_JHqw@mail.gmail.com>
To: Matthew Kerwin <matthew@kerwin.net.au>
Cc: Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 17 December 2013 17:43, Matthew Kerwin <matthew@kerwin.net.au> wrote:
> * coming back to my understanding that decrypting the entire thing is pretty
> expensive, but calculating a checksum/hash and decrypting that is cheaper.
> If that's an incorrect assumption then please correct me.

That's not a perfect assumption.  It's certainly true for TLS modes
where encryption and authentication form different steps, such as with
AES CBC + HMAC modes.  On the other hand, AES-GCM doesn't require
running a hash over the entire message, the MAC is effectively just a
byproduct of encryption (not really, but you might consider it as
such), so in that case I believe it to be faster to encrypt and
authenticate than to just authenticate.  I'm told that with AES-NI
instructions on recent CPUs GCM is about as fast as memcpy, and it
runs the same order number of operations as HMAC.  I'm not aware of a
pure hash function that works as quickly, and one that is even close
to available in the same way.
Received on Wednesday, 18 December 2013 17:26:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:21 UTC