samba in love with gnutls samba in love with gnutls
play

Samba in love with GnuTLS Samba in love with GnuTLS SambaXP 2019 - PowerPoint PPT Presentation

Mar 17, 2024 •263 likes •781 views

6/6/2019 Samba in love with GnuTLS Samba in love with GnuTLS Samba in love with GnuTLS SambaXP 2019 SambaXP 2019 Andreas Schneider Red Hat Samba Maintainer localhost:8000/?print-pdf#/ 1/51 6/6/2019 Samba in love with GnuTLS About me

  1. 6/6/2019 Samba in love with GnuTLS Samba in love with GnuTLS Samba in love with GnuTLS SambaXP 2019 SambaXP 2019 Andreas Schneider Red Hat Samba Maintainer localhost:8000/?print-pdf#/ 1/51

  2. 6/6/2019 Samba in love with GnuTLS About me About me Free and Open Source Software Developer cmocka - a unit testing framework for C Samba - The domain controller and file server libssh - The SSH Library cwrap - Client/Server testing made easy LineageOS - Android with Privacy Features localhost:8000/?print-pdf#/ 2/51

  3. 6/6/2019 Samba in love with GnuTLS 1 What is Samba? What is Samba? localhost:8000/?print-pdf#/ 3/51

  4. 6/6/2019 Samba in love with GnuTLS What is Samba? What is Samba? Samba is the software that you probably curse a lot at. localhost:8000/?print-pdf#/ 4/51

  5. 6/6/2019 Samba in love with GnuTLS 2 What is GnuTLS? What is GnuTLS? localhost:8000/?print-pdf#/ 5/51

  6. 6/6/2019 Samba in love with GnuTLS What is GnuTLS? What is GnuTLS? GnuTLS is the software you will love after this talk. localhost:8000/?print-pdf#/ 6/51

  7. 6/6/2019 Samba in love with GnuTLS GnuTLS is ... GnuTLS is ... Secure communication library for C Implements TLS protocol and sourrounding technology Mostly uses the nettle library for low level crypto Provides more hardware-accelerated implementation of different ciphers localhost:8000/?print-pdf#/ 7/51

  8. 6/6/2019 Samba in love with GnuTLS 3 Why GnuTLS? Why GnuTLS? localhost:8000/?print-pdf#/ 8/51

  9. 6/6/2019 Samba in love with GnuTLS Why do we use GnuTLS? Why do we use GnuTLS? Samba already uses GnuTLS for LDAP over TLS. localhost:8000/?print-pdf#/ 9/51

  10. 6/6/2019 Samba in love with GnuTLS Samba crypto Samba crypto Samba implemented own crypto: SHA265, SHA512, HMAC-SHA256 MD5, MD4, HMAC-MD5 AES-CFB, AES-CCM, AES-GCM, AES-CMAC DES, RC4 localhost:8000/?print-pdf#/ 10/51

  11. 6/6/2019 Samba in love with GnuTLS 4 Why shouldn't you write your own crypto Why shouldn't you write your own crypto functions? functions? localhost:8000/?print-pdf#/ 11/51

  12. 6/6/2019 Samba in love with GnuTLS Why shouldn't you write your own crypto functions? Why shouldn't you write your own crypto functions? Implementing crypto algorithms is relatively easy 1. Preventing attacks on the implementation is hard 2. Writing secure and performant code is hard Watch devconf.cz 2019 talk from Simo: Why you shouldn't write crypto functions yourself localhost:8000/?print-pdf#/ 12/51

  13. 6/6/2019 Samba in love with GnuTLS Why Samba shouldn't write its own crypto? Why Samba shouldn't write its own crypto? Samba developers aren't cryptographers localhost:8000/?print-pdf#/ 13/51

  14. 6/6/2019 Samba in love with GnuTLS 5 SMB3 and encryption SMB3 and encryption localhost:8000/?print-pdf#/ 14/51

  15. 6/6/2019 Samba in love with GnuTLS Samba and AES-NI support Samba and AES-NI support AES-NI is hardware support for AES ciphers AES-NI is available on most hardware nowadays e.g. x86, ARM, SPARC T3 Since Samba 4.8 we have support for Intel AES-NI on x86_64 localhost:8000/?print-pdf#/ 15/51

  16. 6/6/2019 Samba in love with GnuTLS SMB3 encryption with AES-CCM/AES-GCM SMB3 encryption with AES-CCM/AES-GCM For SMB3 encryption: Windows prefers AES-GCM over AES-CCM Samba perfers AES-CCM over AES-GCM localhost:8000/?print-pdf#/ 16/51

  17. 6/6/2019 Samba in love with GnuTLS 6 Numbers Numbers localhost:8000/?print-pdf#/ 17/51

  18. 6/6/2019 Samba in love with GnuTLS Lets send and receive 1 GB of random data over SMB3 with Lets send and receive 1 GB of random data over SMB3 with encryption encryption localhost:8000/?print-pdf#/ 18/51

  19. 6/6/2019 Samba in love with GnuTLS Hardware Hardware CPU: i7-4960X CPU @ 3.60GHz (2013) RAM: 32GB Instruction Set: AES-NI support localhost:8000/?print-pdf#/ 19/51

  20. 6/6/2019 Samba in love with GnuTLS Send and receive 1 GB of random data over SMB3 Send and receive 1 GB of random data over SMB3 time smbclient //LOCALSRV/tmp -mSMB3 -e \ -c 'put 1GB.bin; get 1GB.bin /dev/null' Client and server running at the same machine localhost:8000/?print-pdf#/ 20/51

  21. 6/6/2019 Samba in love with GnuTLS SMB3 Encryption with AES-CCM SMB3 Encryption with AES-CCM localhost:8000/?print-pdf#/ 21/51

  22. 6/6/2019 Samba in love with GnuTLS Samba 4.10 (AES-CCM) Samba 4.10 (AES-CCM) putting file 1GB.bin (46458.8 kb/s) (average 46458.8 kb getting file 1GB.bin (47832.1 kb/s) (average 47832.1 kb real 0m44.613s user 0m20.914s sys 0m3.623s localhost:8000/?print-pdf#/ 22/51

  23. 6/6/2019 Samba in love with GnuTLS Samba 4.10, AES-NI (AES-CCM) Samba 4.10, AES-NI (AES-CCM) putting file 1GB.bin (88397.9 kb/s) (average 88397.9 kb getting file 1GB.bin (90668.0 kb/s) (average 90668.1 kb real 0m23.595s user 0m10.427s sys 0m3.694s localhost:8000/?print-pdf#/ 23/51

  24. 6/6/2019 Samba in love with GnuTLS Samba with GnuTLS, AES-NI (AES-CCM) Samba with GnuTLS, AES-NI (AES-CCM) putting file 1GB.bin (106747.0 kb/s) (average 106747.0 getting file 1GB.bin (110901.7 kb/s) (average 110901.7 real 0m19.454s user 0m7.716s sys 0m4.484s localhost:8000/?print-pdf#/ 24/51

  25. 6/6/2019 Samba in love with GnuTLS SMB3 Encryption with AES-GCM SMB3 Encryption with AES-GCM localhost:8000/?print-pdf#/ 25/51

  26. 6/6/2019 Samba in love with GnuTLS Samba 4.10, AES-NI (AES-GCM) Samba 4.10, AES-NI (AES-GCM) putting file 1GB.bin (3268.4 kb/s) (average 3268.4 kb/s getting file 1GB.bin (3240.0 kb/s) (average 3240.0 kb/s real 10m44.602s user 5m21.525s sys 0m3.820s localhost:8000/?print-pdf#/ 26/51

  27. 6/6/2019 Samba in love with GnuTLS Samba with GnuTLS, AES-NI (AES-GCM) Samba with GnuTLS, AES-NI (AES-GCM) putting file 1GB.bin (172010.5 kb/s) (average 172010.5 getting file 1GB.bin (183445.8 kb/s) (average 183445.8 real 0m12.299s user 0m3.883s sys 0m4.610s Speedup GCM: 50 times faster localhost:8000/?print-pdf#/ 27/51

  28. 6/6/2019 Samba in love with GnuTLS AES-CCM (Samba, AES-NI) vs AES-GCM (GnuTLS) AES-CCM (Samba, AES-NI) vs AES-GCM (GnuTLS) AES-CCM (Samba 4.10): 23.454s (~90 MB/s) AES-GCM (GnuTLS): 12.299s (~180 MB/s) Speedup: Twice as fast localhost:8000/?print-pdf#/ 28/51

  29. 6/6/2019 Samba in love with GnuTLS Do you already start to love GnuTLS? Do you already start to love GnuTLS? localhost:8000/?print-pdf#/ 29/51

  30. 6/6/2019 Samba in love with GnuTLS Signing with AES-CMAC Signing with AES-CMAC smbclient -mSMB3 --signing=required Samba crypto AES-NI: 0m15.239s Samba with GnuTLS: 0m14.833s nettle implemented AES-CMAC based on Samba's implementation. localhost:8000/?print-pdf#/ 30/51

  31. 6/6/2019 Samba in love with GnuTLS Signing with AES-GMAC (coming soon) Signing with AES-GMAC (coming soon) Will be introduced by Microsoft to SMB3 soon. https:/ /gitlab.com/gnutls/gnutls/issues/781 localhost:8000/?print-pdf#/ 31/51

  32. 6/6/2019 Samba in love with GnuTLS Next Hardware Next Hardware localhost:8000/?print-pdf#/ 32/51

  33. 6/6/2019 Samba in love with GnuTLS Hardkernel ODROID-N2 Hardkernel ODROID-N2 ARM Cortex-A73 CPU (4 + 2 cores Cortex-A53) ARM64 with AES-NI support 4GByte DDR4 RAM Bad IO (~ 17MB/s) => tmpfs (ramdisk) for Samba share localhost:8000/?print-pdf#/ 33/51

  34. 6/6/2019 Samba in love with GnuTLS SMB3 Encryption with AES-CCM SMB3 Encryption with AES-CCM localhost:8000/?print-pdf#/ 34/51

  35. 6/6/2019 Samba in love with GnuTLS Samba 4.10 (AES-CCM) Samba 4.10 (AES-CCM) putting file 1GB.bin (13290.4 kb/s) (average 13290.4 kb getting file 1GB.bin (14952.5 kb/s) (average 14952.5 kb real 2m29.630s user 1m2.436s sys 0m20.992s localhost:8000/?print-pdf#/ 35/51

  36. 6/6/2019 Samba in love with GnuTLS Samba with GnuTLS (AES-CCM) Samba with GnuTLS (AES-CCM) putting file 1GB.bin (12714.6 kb/s) (average 12714.6 kb getting file 1GB.bin (29526.5 kb/s) (average 29526.5 kb real 1m58.512s user 0m24.252s sys 0m25.140s localhost:8000/?print-pdf#/ 36/51

  37. 6/6/2019 Samba in love with GnuTLS SMB3 Encryption with AES-GCM SMB3 Encryption with AES-GCM localhost:8000/?print-pdf#/ 37/51

  38. 6/6/2019 Samba in love with GnuTLS Samba 4.10 (AES-GCM) Samba 4.10 (AES-GCM) putting file 1GB.bin (1372.8 kb/s) (average 1372.8 kb/s getting file 1GB.bin (1370.0 kb/s) (average 1370.0 kb/s real 25m29.725s user 12m36.344s sys 0m13.868s localhost:8000/?print-pdf#/ 38/51

  39. 6/6/2019 Samba in love with GnuTLS Samba with GnuTLS (AES-GCM) Samba with GnuTLS (AES-GCM) putting file 1GB.bin (23982.8 kb/s) (average 23982.8 kb getting file 1GB.bin (37530.9 kb/s) (average 37530.9 kb real 1m11.970s user 0m18.504s sys 0m23.932s localhost:8000/?print-pdf#/ 39/51

  40. 6/6/2019 Samba in love with GnuTLS AES-CCM (Samba, AES-NI) vs AES-GCM (GnuTLS) AES-CCM (Samba, AES-NI) vs AES-GCM (GnuTLS) AES-CCM (Samba 4.10): 149s (~14 MB/s AES-GCM (GnuTLS): 71s (~37 MB/s) Speedup: Twice as fast localhost:8000/?print-pdf#/ 40/51

  41. 6/6/2019 Samba in love with GnuTLS Performance will be even better when we get gnutls_aead_cipher_(en|de)crypt_vec() which uses io vectors. https:/ /gitlab.com/gnutls/gnutls/issues/718 localhost:8000/?print-pdf#/ 41/51

  42. 6/6/2019 Samba in love with GnuTLS 7 Lets talk about FIPS Lets talk about FIPS Heinz Erhardt: Ritter FIPS localhost:8000/?print-pdf#/ 42/51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org jeremy.allison@hp.com Where we are now : Samba 2.2 The current Samba is a credible replacement for a Windows server providing file and

529 views • 19 slides
Implementing the Witness protocol in Samba Gnther Deschner <gd@samba.org> (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner <gd@samba.org> (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner <gd@samba.org> (Red Hat / Samba Team) About Samba and RedHat Currently 7 Samba Team members inside RedHat Creators and users of Samba technology for authentication

836 views • 45 slides
Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp ddiss@samba.org Agenda Clustered Samba Witness Protocol Demo Outlook Clustered Samba Samba File and print server SMB / CIFS, SMB2

428 views • 40 slides
Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org Agenda Reasons to move to Python3 What is supported in what release Some history of the porting effort Challenges Lessons learned

815 views • 19 slides
The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba

The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba

The Important Details Of Windows Authentication Stefan Metzmacher <metze@samba.org> Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/ Topics Windows Domains, Forests and Trusts Netlogon Secure

497 views • 34 slides
SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP - 2016-05-11 Introduction SMB - mini history SMB: created around 1983 by Barry Feigenbaum, IBM SMB in Lan Manager: around 1990 SMB in Windows for

1.29k views • 58 slides
Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May 21, 2015 We use a lot of VMs and containers for testing and building Samba. The setup and maintenance of these machines requires a lot of work. How

351 views • 20 slides
Christian Love Weve Heard a Lot about Love Cant buy my Love! -The Beatles Love

Christian Love Weve Heard a Lot about Love Cant buy my Love! -The Beatles Love

9/7/2017 Christian Love Weve Heard a Lot about Love Cant buy my Love! -The Beatles Love Dont Cost a Thing -Jennifer Lopez Love Will Keep Us Together! -Captain & Tennille Love Takes Time -Mariah Carey 1

425 views • 4 slides
Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me Andrew Bartlett Samba T eam member since 2001 Working on the AD DC since 2006 These views are my own, but I do with to thank:

856 views • 36 slides
Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017 Introductions Introductor a t i o n a r y e s q u e n e s s e si s m Me: Samba Team Elder SMB Wizard with: The opinions expressed are my

874 views • 21 slides
Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team / SerNet 2012-09-17 Hi there! Oh ... ... please interrupt with questions! Michael Adam SMB2+ in Samba (3 / 20) SMB2 in Samba Only SMB 2.0

1.35k views • 75 slides
Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP 2017 Andrew Bartlet Samba developer since 2001 Working on the AD DC since soon afuer the start of the 4.0 branch, since 2004! Driven to

664 views • 44 slides
A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / / June 2018 Samba is a member project of the Sofuware Freedom Conseraancy Andrew Bartlet and Catalysts Samba Team Samba Deaeloper since 2001

436 views • 30 slides
Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The Samba4 torture suite is an extensive, general purpose CIFS test suite. It is not Samba specific. All CIFS vendors should take advantage of it to

377 views • 21 slides
MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner

MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner <gd@samba.org> Red Hat May 21th, 2015 Andreas Schneider <asn@samba.org> G

1.17k views • 29 slides
New printing protocols in Samba Gnther Deschner <gd@samba.org> Agenda MS16-087

New printing protocols in Samba Gnther Deschner <gd@samba.org> Agenda MS16-087

New printing protocols in Samba Gnther Deschner <gd@samba.org> Agenda MS16-087 RPRN and PAR PAR support detection Print Driver Packages Driver Signing Core Printer Drivers Current state of PAR in

579 views • 45 slides
Machine-Verified Controllers Arjun Guha, Mark Reitblatt, and Nate Foster Cornell University 1

Machine-Verified Controllers Arjun Guha, Mark Reitblatt, and Nate Foster Cornell University 1

Machine-Verified Controllers Arjun Guha, Mark Reitblatt, and Nate Foster Cornell University 1 Networks in the News 2 Networks in the News a network change was performed [] executed incorrectly [] more stuck volumes and added

1.36k views • 122 slides
Effects of Spa-al Diffusion on a Model for Prebio-c Evolu-on Ben Intoy J. Woods Halley Aaron

Effects of Spa-al Diffusion on a Model for Prebio-c Evolu-on Ben Intoy J. Woods Halley Aaron

Effects of Spa-al Diffusion on a Model for Prebio-c Evolu-on Ben Intoy J. Woods Halley Aaron Wynveen U. of MN, Twin Ci-es School of Physics and Astronomy NASA grant: NNX14AQ05G Acknowledgements: Computa-onal resources of: Minnesota

709 views • 17 slides
GSK Consumer Healthcare Friday, 21 st September 2018 Cautionary statement regarding

GSK Consumer Healthcare Friday, 21 st September 2018 Cautionary statement regarding

GSK Consumer Healthcare Friday, 21 st September 2018 Cautionary statement regarding forward-looking statements This presentation may contain forward-looking statements. Forward-looking statements give the Groups current expectations or

807 views • 43 slides
The CPU Performance Equation 40 The Performance Equation (PE) We would like to model how

The CPU Performance Equation 40 The Performance Equation (PE) We would like to model how

The CPU Performance Equation 40 The Performance Equation (PE) We would like to model how architecture impacts performance (latency) This means we need to quantify performance in terms of architectural parameters. Instruction Count

383 views • 37 slides
Lock Inference in the Presence of Large Libraries Khilan

Lock Inference in the Presence of Large Libraries Khilan

Lock Inference in the Presence of Large Libraries Khilan Gudka, Imperial College London* Tim Harris, Microso8 Research Cambridge Susan Eisenbach, Imperial

438 views • 29 slides
Opportunity Act A Workshop, February 29, 2020 SPONSORED BY HAVERHILL EDUCATION COALITION WITH

Opportunity Act A Workshop, February 29, 2020 SPONSORED BY HAVERHILL EDUCATION COALITION WITH

1 HEC SOA Workshop February 29, 2020 Haverhill Plans for the Student Opportunity Act A Workshop, February 29, 2020 SPONSORED BY HAVERHILL EDUCATION COALITION WITH DATA FROM BENCHMARK HAVERHILL SCHOOLS . COM 2 Student Opportunity Act

736 views • 41 slides
OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer

OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer

Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universitt Mnchen, Germany OpenFlow for QoS-Monitoring Supervisor:Prof. Dr.-Ing. Georg Carle Advisor: M.Sc. Daniel Raumer M.Sc. Lukas Schwaighofer Agenda

344 views • 18 slides
TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free soware (Fuzzing Project,

693 views • 44 slides

More recommend