Re: ChaCha20-Poly1305 for SSH
nisse@lysator.liu.se (Niels Möller ) Wed, 27 April 2016 13:50 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FE5612D1D9 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 27 Apr 2016 06:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0HXnwwxk7NL for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 27 Apr 2016 06:50:08 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70F5912D5DF for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 27 Apr 2016 06:50:04 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 2578685E96; Wed, 27 Apr 2016 13:50:02 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id F01F685E5C for <ietf-ssh@netbsd.org>; Wed, 27 Apr 2016 13:49:57 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id B0R_E4wsIiTi for <ietf-ssh@netbsd.org>; Wed, 27 Apr 2016 13:49:57 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 5121F84C85 for <ietf-ssh@netbsd.org>; Wed, 27 Apr 2016 13:49:56 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id E14EA40028; Wed, 27 Apr 2016 15:49:49 +0200 (CEST)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id A95BE40014; Wed, 27 Apr 2016 15:49:48 +0200 (CEST)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Wed, 27 Apr 2016 15:49:48 +0200
From: nisse@lysator.liu.se
To: Stefan Bühler <ietf-ssh@stbuehler.de>
Cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
References: <20160420101838.5861b73d@chromobil-cert.local> <nntwiuu61g.fsf@armitage.lysator.liu.se> <20160422125731.56e804dc@chromobil-cert.local>
Date: Wed, 27 Apr 2016 15:49:48 +0200
In-Reply-To: <20160422125731.56e804dc@chromobil-cert.local> ("Stefan Bühler"'s message of "Fri, 22 Apr 2016 12:57:31 +0200")
Message-ID: <nnwpnjrwjn.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Stefan Bühler <ietf-ssh@stbuehler.de> writes: > On Thu, 21 Apr 2016 21:15:55 +0200 > nisse@lysator.liu.se (Niels Möller) wrote: >> I hope you've also seen draft-nisse-secsh-aead-00. I'm replying >> looking for ways to improve that and move forward. > > My feeling is that this document already is the "protocol rethink" (and > not just a "small algorithm family"), That's not my intention. I want it to be general enough to guide specification of other aead schemes, but otherwise keep changes close to minimal. (To really do minimal changes to the ssh protocol, one shouldn't do aead at all, but specify chacha as a cipher, and some mac based on poly1305, and use the old way of applying the mac to the plain text). > Oh my... sorry. I meant Chacha20 of course; DJBs original definition > uses a little-endian 64-bit block-counter and a 64-bit nonce (often the > packet counter). RFC7539 moves the trailing 4 bytes from the block > counter (which are almost always zero - no packet is that big) and > prepends them to the nonce in the interface (but does the same thing > internally) to get the "standard" 12-byte nonce interface. To me, 64 bits sounds like a very reasonable size for both the counter and the nonce. I haven't quite understood why RFC 5116 mandates ("SHOULD") a 12-byte nonce, or its separation into "fixed" and "counter" part. For ssh, it doesn't matter, a 32-bit block counter is large enough, by a large margin. >> I agree it's a nice idea. I didn't go that way in my draft, because >> (i) the optimization is minor, a single chacha_core operation and >> very small state, and (2) because it's very algorithm specific, it >> doesn't generalize to other AEAD ciphers. I'd be happy to change, if >> there is support for this idea. > > I also consider this optional in my "variant" proposal; I'd be also > fine with the current openssh implementation simply using a second key. > > When encrypting the packet length is still required (see my comments > regarding "protocol rethink" above) I think using different nonces in a > generic AEAD specification is a good idea (although I don't think the > shift by one bit is a good idea. I'd rather shift by 32-bits, requiring > a >= 8-byte nonce instead of >= 5-byte). If we go with the 5116-style AEAD, I guess it would make some sense to describe the distinct-nonce hack using the "fixed | counter"-terminology, with a fixed part being different for length field and the data. But then why not do it the same way for chacha-poly1305? The reason why I ended up proposing the shift-by-one-bit construction was that I think a reasonable AEAD API will have an auto-increment function, incrementing the nonce by one for each message processed. With the shift-by-one bit, the sequence in which nonces are used is simply incrementing, with even ones for length encryption and odd ones for data. With any other formatting, one would need two set_nonce calls per message, or two separate state structs. So that seemed convenient to me, but I guess I'm biased by how my crypto library works. > I'd keep the "at least four bytes" and "pad to > multiple of min(8, blocksize)" requirements (which results in a > minimum packet size of 12 bytes instead of 16 with MtE). Noted (I think some one else expressed a similar opinion). But precesily what is padded changes, with aead, it has to be the data exluding the length field. And I take it chacha should be viewed as a stream cipher and hence pad to 8 bytes, not pad to 64 bytes? > The question remains: push "chacha20-poly1305" being identical or close > to the openssh one or wait for a generic AEAD / "protocol rethink"? My preference would be 1. Do something close to openssh. 2. Specify use of chacha and poly1305 as separate cipher and mac. 3. Wait for ssh version 3, which isn't likely to happen. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller