Re: ChaCha20-Poly1305 for SSH

Damien Miller <djm@mindrot.org> Tue, 03 May 2016 14:20 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A6812D81D for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 3 May 2016 07:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQPJgWjN-ymh for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 3 May 2016 07:20:16 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6548512D818 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 3 May 2016 07:20:16 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 095D085E7F; Tue, 3 May 2016 14:20:16 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 25B8D85E47 for <ietf-ssh@netbsd.org>; Tue, 3 May 2016 14:20:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 9kaO_u72z8t0 for <ietf-ssh@netbsd.org>; Tue, 3 May 2016 14:20:11 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id 0D0DF84CED for <ietf-ssh@netbsd.org>; Tue, 3 May 2016 14:20:10 +0000 (UTC)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u43DAaSw045415; Tue, 3 May 2016 23:10:36 +1000
Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u43DAZ76033533 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 3 May 2016 23:10:36 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u43DAZae005863 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Tue, 3 May 2016 23:10:35 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 50BEEA4F33; Tue, 3 May 2016 23:10:35 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 50073A4F32; Tue, 3 May 2016 23:10:35 +1000 (AEST)
Date: Tue, 03 May 2016 23:10:35 +1000
From: Damien Miller <djm@mindrot.org>
To: Stefan Bühler <ietf-ssh@stbuehler.de>
cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
In-Reply-To: <20160503111810.096420bd@chromobil-cert.local>
Message-ID: <alpine.BSO.2.20.1605032253510.2151@natsu.mindrot.org>
References: <20160420101838.5861b73d@chromobil-cert.local> <alpine.BSO.2.20.1605022339400.6962@natsu.mindrot.org> <20160503111810.096420bd@chromobil-cert.local>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="26225070309376-1765907108-1462281035=:2151"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58
X-UQ-FilterTime: 1462281036
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On Tue, 3 May 2016, Stefan Bühler wrote:

> On Tue, 3 May 2016 00:47:55 +1000 (AEST)
> Damien Miller <djm@mindrot.org> wrote:
> 
> > It would be helpful if you said what in the documentation was
> > insufficient so we can improve it.
> 
> Fair enough:
> - "This forms two 256 bit keys (K_1 and K_2), used by two separate
>   instances of chacha20.", and then K_1 is used to encrypt the length.
>   But the keys are actually `K_2 || K_1` !

Thanks, I'll add a note to clarify.

> - There is no reference to EtM-modes and how they handle padding.

Why should there be?  EtM is completely separate.

> - By saying "no MAC is required" one might think that the MAC length is
>   zero and Poly1305 tag is somehow part of the packet content, and that
>   the length of it needs to be reflected in the length field.
>   But the MAC length is actually 16 bytes.

But the document doesn't say this. It says, in a section that describes
the KEX negotiation, "no MAC is required to be negotiated". IMO that's
quite clear from context.

Perhaps you're referring to the "no separate MAC is required" statement
in the same paragraph. This immediately follows a sentence that
describes the AEAD as including authentication. IMO the context is clear
here too.

The rest of the document discusses at length how the in-AEAD MAC is
derived and should be checked so nobody who read the whole thing
could (again IMO) come away with the impression that the protocol
includes no MAC or that it isn't included in the packet.

> I also feel the document is not structured very well, and a lot of
> things could be said more explicitly.

Such as? I'm happy to act on specific suggestions. Vague statements
of displeasure aren't really actionably though.

> But now I'm also curious: do you actually consider the document good
> enough to be published as RFC?

I'd consider it good enough to publish as an I-D, but I don't intend
to for the reasons I've already outlined.

> > > So I started to work on it, and also read some of the following
> > > discussion on ietf-ssh.
> > > 
> > > A large part of the discussion spun off discussing a whish list for
> > > a new binary packet protocol; changing the binary packet protocol
> > > probably requires rewriting core logic in many SSH implementations,
> > > so this should be done very carefully and not just for one cipher,
> > > and I somehow doubt it will happen soon.  
> > 
> > It's already happened: chacha20-poly1305 is supported by several
> > SSH implementations and uses a similar packet construction to
> > RFC5647 AES-GCM (with the exception of encryting the packet length).
> > There's also the -etm MACs in OpenSSH as Niels observes.
> 
> I can't find it on
> http://ssh-comparison.quendi.de/comparison/cipher.html, and I hope it
> isn't actually named "chacha20-poly1305" without being listed in the
> IANA registry. Can you give me any pointers?

http://ssh-comparison.quendi.de/comparison/cipher.html search for
chacha20-poly1305, scroll right.

-d