Re: ChaCha20-Poly1305 for SSH

nisse@lysator.liu.se (Niels Möller ) Thu, 21 April 2016 19:16 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5280412E17B for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 21 Apr 2016 12:16:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGiBX5BOVSsN for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 21 Apr 2016 12:16:19 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C48D12E107 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 21 Apr 2016 12:16:19 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id EB93A85F06; Thu, 21 Apr 2016 19:16:06 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8C5DF85E54 for <ietf-ssh@netbsd.org>; Thu, 21 Apr 2016 19:16:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id UhJeBt-iZJ8s for <ietf-ssh@netbsd.org>; Thu, 21 Apr 2016 19:16:01 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4841A85DFE for <ietf-ssh@netbsd.org>; Thu, 21 Apr 2016 19:15:59 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id A2D4B40017; Thu, 21 Apr 2016 21:15:56 +0200 (CEST)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 727494000E; Thu, 21 Apr 2016 21:15:55 +0200 (CEST)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Thu, 21 Apr 2016 21:15:55 +0200
From: nisse@lysator.liu.se
To: Stefan Bühler <ietf-ssh@stbuehler.de>
Cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
References: <20160420101838.5861b73d@chromobil-cert.local>
Date: Thu, 21 Apr 2016 21:15:55 +0200
In-Reply-To: <20160420101838.5861b73d@chromobil-cert.local> ("Stefan Bühler"'s message of "Wed, 20 Apr 2016 10:18:38 +0200")
Message-ID: <nntwiuu61g.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Stefan Bühler <ietf-ssh@stbuehler.de> writes:

> Seeing draft-josefsson-ssh-chacha20-poly1305-openssh-00 I hoped there
> would be some improvement... but well, it is just a copy of the openssh
> file :)

I think Simon's intention was percisely to document what openssh does.

I hope you've also seen draft-nisse-secsh-aead-00. I'm replying looking
for ways to improve that and move forward. 

> A large part of the discussion spun off discussing a whish list for a
> new binary packet protocol; [...] and I somehow
> doubt it will happen soon.

Agreed.

> - pad the nonce to 12 bytes with zeroes on the left side, so one can
>   simply reuse the original Poly1305 implementation with a 8-byte nonce.

I'm not following you here. And I'm not sure what you mean by "original poly1305".
Poly1305-AES as defined in http://cr.yp.to/mac/poly1305-20050329.pdf?
Or the salsa20-poly1305 described in
http://cr.yp.to/highspeed/naclcrypto-20090310.pdf, which I think is what
chacha-poly1305 evolved from? I don't think either uses an 8-byte nonce.

> - Whether to use the Poly1305 data construction from RFC7539:
>
>   At first I thought the Poly1305 usage in
>   "chacha20-poly1305@openssh.com" is vulnerable to some length
>   modifications; but then I remembered that Poly1305 uses an explicit
>   termination in the padding.

As a crypto library author, I'd really prefer if there were a single
definition of chacha-poly1305 used in all applications. But that's maybe
not a very compelling argument for ssh protocol design. There may also
be reasons of ietf politics to stick to ietf's definition.

>   As the length of the AAD is fixed I see no security gain changing to
>   the method described in RFC7539.

I'm also unaware of any difference in security.

> - Whether it is necesary to encrypt the packet length field:
>
>   Some voiced a strong preference for this as a requirement to prevent
>   traffic analysis.
>
>   It was pointed out the encrypted could lead to some extra attack
>   surface (or has done so in other protocols in the past), but I think
>   it is safe in the context of Chacha20. I see nothing an attacker could
>   gain here compared to not encrypting the length.

My quite strong opinion is that we shouldn't force others to choose
between encrypted packet lengths, and using chacha-poly1305. And when
writing a specification which mentions this topic, I'd like to recommend
that other AEAD ciphers also encrypt the packet lengths, and give some
clear guidance on how to do it properly.

> - Encrypting the packet length using otherwise discarded bytes from the
>   Chacha20 block used for the Poly1305 key:
>
>   It is a nice idea which can be used to optimize both performance and
>   memory usage.

I agree it's a nice idea. I didn't go that way in my draft, because (i)
the optimization is minor, a single chacha_core operation and very small
state, and (2) because it's very algorithm specific, it doesn't
generalize to other AEAD ciphers. I'd be happy to change, if there is
support for this idea.

Also note that it's straightforward to this based on a pure
RFC5116-style interface to chacha-poly1305, which doesn't output the
additional bytes of the first block: simply run chacha20 one more time
to get the bytes used for length encryption. No less efficient than
using a separate chacha instance, like openssh is doing.

> - Changing padding requirements, authentication of the encrypted length:
>
>   I see no need to change this in the context of a single algorithm.
>   Belongs into a more generic protocol redesign.

I'm afraid some tweaks to the padding requirements are needed even if
you only think of chacha-poly1305, the original padding rules don't make
much sense when the length isn't encrypted in the same way as the rest
of the payload.

And I think it's desirable to have AEAD ciphers in ssh do things the
same way. It's a bit annoying, because the details aren't terribly
important, but it has to be nailed down, and I have difficulty finding a
way that isn't a bit ugly in one way or the other.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.