Re: ChaCha20-Poly1305 for SSH

nisse@lysator.liu.se (Niels Möller ) Wed, 27 April 2016 13:50 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FE5612D1D9 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 27 Apr 2016 06:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0HXnwwxk7NL for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 27 Apr 2016 06:50:08 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70F5912D5DF for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 27 Apr 2016 06:50:04 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 2578685E96; Wed, 27 Apr 2016 13:50:02 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id F01F685E5C for <ietf-ssh@netbsd.org>; Wed, 27 Apr 2016 13:49:57 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id B0R_E4wsIiTi for <ietf-ssh@netbsd.org>; Wed, 27 Apr 2016 13:49:57 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 5121F84C85 for <ietf-ssh@netbsd.org>; Wed, 27 Apr 2016 13:49:56 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id E14EA40028; Wed, 27 Apr 2016 15:49:49 +0200 (CEST)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id A95BE40014; Wed, 27 Apr 2016 15:49:48 +0200 (CEST)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Wed, 27 Apr 2016 15:49:48 +0200
From: nisse@lysator.liu.se
To: Stefan Bühler <ietf-ssh@stbuehler.de>
Cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
References: <20160420101838.5861b73d@chromobil-cert.local> <nntwiuu61g.fsf@armitage.lysator.liu.se> <20160422125731.56e804dc@chromobil-cert.local>
Date: Wed, 27 Apr 2016 15:49:48 +0200
In-Reply-To: <20160422125731.56e804dc@chromobil-cert.local> ("Stefan Bühler"'s message of "Fri, 22 Apr 2016 12:57:31 +0200")
Message-ID: <nnwpnjrwjn.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Stefan Bühler <ietf-ssh@stbuehler.de> writes:

> On Thu, 21 Apr 2016 21:15:55 +0200
> nisse@lysator.liu.se (Niels Möller) wrote:

>> I hope you've also seen draft-nisse-secsh-aead-00. I'm replying
>> looking for ways to improve that and move forward. 
>
> My feeling is that this document already is the "protocol rethink" (and
> not just a "small algorithm family"),

That's not my intention. I want it to be general enough to guide
specification of other aead schemes, but otherwise keep changes close to
minimal.

(To really do minimal changes to the ssh protocol, one shouldn't do aead
at all, but specify chacha as a cipher, and some mac based on poly1305,
and use the old way of applying the mac to the plain text).

> Oh my... sorry. I meant Chacha20 of course; DJBs original definition
> uses a little-endian 64-bit block-counter and a 64-bit nonce (often the
> packet counter). RFC7539 moves the trailing 4 bytes from the block
> counter (which are almost always zero - no packet is that big) and
> prepends them to the nonce in the interface (but does the same thing
> internally) to get the "standard" 12-byte nonce interface.

To me, 64 bits sounds like a very reasonable size for both the counter
and the nonce. I haven't quite understood why RFC 5116 mandates
("SHOULD") a 12-byte nonce, or its separation into "fixed" and "counter"
part. 

For ssh, it doesn't matter, a 32-bit block counter is large enough, by a
large margin.

>> I agree it's a nice idea. I didn't go that way in my draft, because
>> (i) the optimization is minor, a single chacha_core operation and
>> very small state, and (2) because it's very algorithm specific, it
>> doesn't generalize to other AEAD ciphers. I'd be happy to change, if
>> there is support for this idea.
>
> I also consider this optional in my "variant" proposal; I'd be also
> fine with the current openssh implementation simply using a second key.
>
> When encrypting the packet length is still required (see my comments
> regarding "protocol rethink" above) I think using different nonces in a
> generic AEAD specification is a good idea (although I don't think the
> shift by one bit is a good idea. I'd rather shift by 32-bits, requiring
> a >= 8-byte nonce instead of >= 5-byte).

If we go with the 5116-style AEAD, I guess it would make some sense to
describe the distinct-nonce hack using the "fixed |
counter"-terminology, with a fixed part being different for length field
and the data. But then why not do it the same way for chacha-poly1305?

The reason why I ended up proposing the shift-by-one-bit construction
was that I think a reasonable AEAD API will have an auto-increment
function, incrementing the nonce by one for each message processed. With
the shift-by-one bit, the sequence in which nonces are used is simply
incrementing, with even ones for length encryption and odd ones for
data. With any other formatting, one would need two set_nonce calls per
message, or two separate state structs. So that seemed convenient to me,
but I guess I'm biased by how my crypto library works.

> I'd keep the "at least four bytes" and "pad to
> multiple of min(8, blocksize)" requirements (which results in a
> minimum packet size of 12 bytes instead of 16 with MtE).

Noted (I think some one else expressed a similar opinion). But precesily
what is padded changes, with aead, it has to be the data exluding the
length field. And I take it chacha should be viewed as a stream cipher
and hence pad to 8 bytes, not pad to 64 bytes?

> The question remains: push "chacha20-poly1305" being identical or close
> to the openssh one or wait for a generic AEAD / "protocol rethink"?

My preference would be

1. Do something close to openssh.

2. Specify use of chacha and poly1305 as separate cipher and mac.

3. Wait for ssh version 3, which isn't likely to happen.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.