Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec
Yoav Nir <ynir.ietf@gmail.com> Thu, 26 February 2015 22:38 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4C01A8547 for <ipsec@ietfa.amsl.com>; Thu, 26 Feb 2015 14:38:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMYAgP4gnXlK for <ipsec@ietfa.amsl.com>; Thu, 26 Feb 2015 14:38:00 -0800 (PST)
Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A21701A016B for <ipsec@ietf.org>; Thu, 26 Feb 2015 14:37:59 -0800 (PST)
Received: by wghl18 with SMTP id l18so15429493wgh.8 for <ipsec@ietf.org>; Thu, 26 Feb 2015 14:37:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SiIinotpBNacZAqgV+Ih6mHWuWFbHgvb1LLqLhe6cpo=; b=lB+UBovTS3L/YnfLgI8aoXGC9Ra+7aPLPH4Ipns0892h7mSYDT2O8FIQms1sSIYnTw 52gjkAAf057p2Ro0ckh6giU+ZkDLOOlio5Rripy8LIJMTbHn9R1ooTD+DA3xcS/GS6AR JZsvTDJfP+lfdin+Ei8mm6eZ/CrTX8QwmQUmcWWw3+mIBvncoZVwYxKOry6GU9ab22Um fzW48NSRn1pvtpe5nVDPqUttae4OCziOi5lZra+h5tGg8BIHj94ocC5Rgu3B+oGUD5iV fmR70fugdH0TDBUInYB3qHPPH4H5+jdhmbhnGTOSHoyaRYb2t6pWPNpwverTOuu8oGDn lFyw==
X-Received: by 10.194.110.38 with SMTP id hx6mr20995687wjb.128.1424990278384; Thu, 26 Feb 2015 14:37:58 -0800 (PST)
Received: from [192.168.1.13] ([46.120.13.132]) by mx.google.com with ESMTPSA id m4sm3323697wjb.25.2015.02.26.14.37.57 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 26 Feb 2015 14:37:57 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <alpine.LFD.2.10.1502260933310.28451@bofh.nohats.ca>
Date: Fri, 27 Feb 2015 00:37:55 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <4D31B839-3CC7-4499-AC14-533DCF8EC4B3@gmail.com>
References: <798DAF77-94CB-4AF4-AECC-5039808F147F@gmail.com> <alpine.LFD.2.10.1502260933310.28451@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/hNfGDhiZL5ZqscxiZ8VXXNBTKKo>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 22:38:02 -0000
> On Feb 26, 2015, at 4:48 PM, Paul Wouters <paul@nohats.ca> wrote: > > On Tue, 24 Feb 2015, Yoav Nir wrote: > >> In the meantime, I have updated my draft to only define the AEAD. Since we not have CFRG’s “stamp of approval” if not yet an RFC number, >> I would like to renew my request to have the ChaCha20+Poly1305 for IKE and IPsec document [2] accepted by this working group with the >> intent of having it published as a standard-track document. > > I am in favour of adopting this document for the WG. > >> [2] https://tools.ietf.org/html/draft-nir-ipsecme-chacha20-poly1305-05 > > Can we rename ESP_ChaCha20-Poly1305 to ESP_ChaCha20_Poly1305 ? That > allows implementors to match the literal IANA string into C-code, which > does not allow a "-" symbol. Hmm, it’s like version -10 all over again: http://www.ietf.org/rfcdiff?url1=draft-irtf-cfrg-chacha20-poly1305-09&url2=draft-irtf-cfrg-chacha20-poly1305-10 > The problem is that if future advances in cryptanalysis reveal a > weakness in AES, VPN users will be in an unenviable position. With > the only other widely supported cipher being the much slower 3DES, > > I'm not sure if that is completely true. We do have Camellia, although > I'm not a cryptographer and it might be too similar to AES. So I still > agree with the sentiment of the text. There are several algorithms that exist, and even quite a few that are defined for IPsec. But none are as universally implemented as 3DES and AES. So as a developer I can implement Camellia (and I have no idea about its speed relative to AES), but as a user with an existing version of some software that has to interoperate with some other user of some other version of some other software, only with AES and 3DES it’s safe to assume that we can achieve interoperability. > The length of the ciphertext as a 32-bit network order quantity. > > Can we clarify the number of octets used here without needing to go into > another reference document? Mmm, 4? Network order is the controversial part, because everything else in ChaCha20 is little-endian. > I kind of dislike using HMAC-SHA-256 but I understand we don't have much > choice right now: For PRF? What’s wrong with HMAC-SHA-256? I would have preferred to use these algorithms for the PRF. Poly1305 is not suitable as a PRF. ChaCha20 is a block cipher in counter mode and is very suitable as a PRF, but it doesn’t fit the definition of a PRF in section 2.13 of RFC 7296. > https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10#section-2.7 > > Although perhaps we can go back to CRFG and ask if they can give us > something that is not based on the SHA2 family? Why don’t you like SHA2? Is it about the performance or just a general dislike of NIST algorithms? Anyway, perhaps you’d like blake2 better: http://tools.ietf.org/html/draft-saarinen-blake2-01 Still seems like a shame to brink that in just for the PRF. > I have no strong opinions about Diffie-Hellman groups. Perhaps Curve25519 after CFRG finish recommending it. Yoav
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Michael Richardson
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Tero Kivinen
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Paul Wouters
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Paul Wouters