Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec
Paul Wouters <paul@nohats.ca> Mon, 02 March 2015 03:02 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E5B01A1A30 for <ipsec@ietfa.amsl.com>; Sun, 1 Mar 2015 19:02:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cmtQDYTn4K2n for <ipsec@ietfa.amsl.com>; Sun, 1 Mar 2015 19:02:50 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B89301A19E4 for <ipsec@ietf.org>; Sun, 1 Mar 2015 19:02:49 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3kwR9N1Dgpz5H9; Mon, 2 Mar 2015 04:02:48 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=MMALOreT; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id GmwRbvu-EZti; Mon, 2 Mar 2015 04:02:46 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 2 Mar 2015 04:02:46 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CB4C3813B1; Sun, 1 Mar 2015 22:02:45 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1425265365; bh=nLAsu5eOosfW99fdf3P7l8hx1UwFwrWPCiTaG2wmjCc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=MMALOreTjbhyIvN1zFdq8RC1tcJEEKyCuSF61GuqEjDqpTr0Uz5xva18KYqoQWYmf IuwuUq+qKiInHoMHNZe66XmxQbwZSUQM2QS1yXd8JLkcRtME7AyCMBWouVgkwevlKg qz4hD980kZcEcG+wVJlq8Rk4wXknbNHZ/U7KQtOI=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t2232j6n005053; Sun, 1 Mar 2015 22:02:45 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 01 Mar 2015 22:02:45 -0500
From: Paul Wouters <paul@nohats.ca>
To: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <4D31B839-3CC7-4499-AC14-533DCF8EC4B3@gmail.com>
Message-ID: <alpine.LFD.2.10.1503012153121.31123@bofh.nohats.ca>
References: <798DAF77-94CB-4AF4-AECC-5039808F147F@gmail.com> <alpine.LFD.2.10.1502260933310.28451@bofh.nohats.ca> <4D31B839-3CC7-4499-AC14-533DCF8EC4B3@gmail.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/kri0VF4f3ZtkBfdO60q-q4raQT4>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2015 03:02:51 -0000
On Fri, 27 Feb 2015, Yoav Nir wrote: >>> [2] https://tools.ietf.org/html/draft-nir-ipsecme-chacha20-poly1305-05 >> >> Can we rename ESP_ChaCha20-Poly1305 to ESP_ChaCha20_Poly1305 ? That >> allows implementors to match the literal IANA string into C-code, which >> does not allow a "-" symbol. > > Hmm, it’s like version -10 all over again: > http://www.ietf.org/rfcdiff?url1=draft-irtf-cfrg-chacha20-poly1305-09&url2=draft-irtf-cfrg-chacha20-poly1305-10 Good :) >> The problem is that if future advances in cryptanalysis reveal a >> weakness in AES, VPN users will be in an unenviable position. With >> the only other widely supported cipher being the much slower 3DES, >> >> I'm not sure if that is completely true. We do have Camellia, although >> I'm not a cryptographer and it might be too similar to AES. So I still >> agree with the sentiment of the text. > > There are several algorithms that exist, and even quite a few that are defined for IPsec. But none are as universally implemented as 3DES and AES. So as a developer I can implement Camellia (and I have no idea about its speed relative to AES), but as a user with an existing version of some software that has to interoperate with some other user of some other version of some other software, only with AES and 3DES it’s safe to assume that we can achieve interoperability. The point is, you cannot predict that chacha20/poly1305 will become widely supported either. Regardless, I don't care that much about this bit of text, so if you want to leave it as-is that's fine. >> The length of the ciphertext as a 32-bit network order quantity. >> >> Can we clarify the number of octets used here without needing to go into >> another reference document? > > Mmm, 4? Network order is the controversial part, because everything else in ChaCha20 is little-endian. It would be good for implementors to see that number in this document. >> Although perhaps we can go back to CRFG and ask if they can give us >> something that is not based on the SHA2 family? > > Why don’t you like SHA2? Is it about the performance or just a general dislike of NIST algorithms? I see this as a category ciphers that are non-NIST, grass-roots. So it would make logical sense not to depend no an SHA2/SHA3 family. > Anyway, perhaps you’d like blake2 better: > http://tools.ietf.org/html/draft-saarinen-blake2-01 Seeing that blake2 is based on chacha, I do think that is a better fit to use compared to sha2. > Still seems like a shame to brink that in just for the PRF. The C code is in the RFC, it's not that hard to bring in :P >> I have no strong opinions about Diffie-Hellman groups. > > Perhaps Curve25519 after CFRG finish recommending it. That would make sense. Paul
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Michael Richardson
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Tero Kivinen
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Paul Wouters
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Yoav Nir
- Re: [IPsec] ChaCha20 + Poly1305 for IKE and IPsec Paul Wouters