Re: ChaCha20-Poly1305 for SSH
nisse@lysator.liu.se (Niels Möller ) Thu, 21 April 2016 19:16 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5280412E17B for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 21 Apr 2016 12:16:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGiBX5BOVSsN for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 21 Apr 2016 12:16:19 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C48D12E107 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 21 Apr 2016 12:16:19 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id EB93A85F06; Thu, 21 Apr 2016 19:16:06 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8C5DF85E54 for <ietf-ssh@netbsd.org>; Thu, 21 Apr 2016 19:16:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id UhJeBt-iZJ8s for <ietf-ssh@netbsd.org>; Thu, 21 Apr 2016 19:16:01 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4841A85DFE for <ietf-ssh@netbsd.org>; Thu, 21 Apr 2016 19:15:59 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id A2D4B40017; Thu, 21 Apr 2016 21:15:56 +0200 (CEST)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 727494000E; Thu, 21 Apr 2016 21:15:55 +0200 (CEST)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Thu, 21 Apr 2016 21:15:55 +0200
From: nisse@lysator.liu.se
To: Stefan Bühler <ietf-ssh@stbuehler.de>
Cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
References: <20160420101838.5861b73d@chromobil-cert.local>
Date: Thu, 21 Apr 2016 21:15:55 +0200
In-Reply-To: <20160420101838.5861b73d@chromobil-cert.local> ("Stefan Bühler"'s message of "Wed, 20 Apr 2016 10:18:38 +0200")
Message-ID: <nntwiuu61g.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Stefan Bühler <ietf-ssh@stbuehler.de> writes: > Seeing draft-josefsson-ssh-chacha20-poly1305-openssh-00 I hoped there > would be some improvement... but well, it is just a copy of the openssh > file :) I think Simon's intention was percisely to document what openssh does. I hope you've also seen draft-nisse-secsh-aead-00. I'm replying looking for ways to improve that and move forward. > A large part of the discussion spun off discussing a whish list for a > new binary packet protocol; [...] and I somehow > doubt it will happen soon. Agreed. > - pad the nonce to 12 bytes with zeroes on the left side, so one can > simply reuse the original Poly1305 implementation with a 8-byte nonce. I'm not following you here. And I'm not sure what you mean by "original poly1305". Poly1305-AES as defined in http://cr.yp.to/mac/poly1305-20050329.pdf? Or the salsa20-poly1305 described in http://cr.yp.to/highspeed/naclcrypto-20090310.pdf, which I think is what chacha-poly1305 evolved from? I don't think either uses an 8-byte nonce. > - Whether to use the Poly1305 data construction from RFC7539: > > At first I thought the Poly1305 usage in > "chacha20-poly1305@openssh.com" is vulnerable to some length > modifications; but then I remembered that Poly1305 uses an explicit > termination in the padding. As a crypto library author, I'd really prefer if there were a single definition of chacha-poly1305 used in all applications. But that's maybe not a very compelling argument for ssh protocol design. There may also be reasons of ietf politics to stick to ietf's definition. > As the length of the AAD is fixed I see no security gain changing to > the method described in RFC7539. I'm also unaware of any difference in security. > - Whether it is necesary to encrypt the packet length field: > > Some voiced a strong preference for this as a requirement to prevent > traffic analysis. > > It was pointed out the encrypted could lead to some extra attack > surface (or has done so in other protocols in the past), but I think > it is safe in the context of Chacha20. I see nothing an attacker could > gain here compared to not encrypting the length. My quite strong opinion is that we shouldn't force others to choose between encrypted packet lengths, and using chacha-poly1305. And when writing a specification which mentions this topic, I'd like to recommend that other AEAD ciphers also encrypt the packet lengths, and give some clear guidance on how to do it properly. > - Encrypting the packet length using otherwise discarded bytes from the > Chacha20 block used for the Poly1305 key: > > It is a nice idea which can be used to optimize both performance and > memory usage. I agree it's a nice idea. I didn't go that way in my draft, because (i) the optimization is minor, a single chacha_core operation and very small state, and (2) because it's very algorithm specific, it doesn't generalize to other AEAD ciphers. I'd be happy to change, if there is support for this idea. Also note that it's straightforward to this based on a pure RFC5116-style interface to chacha-poly1305, which doesn't output the additional bytes of the first block: simply run chacha20 one more time to get the bytes used for length encryption. No less efficient than using a separate chacha instance, like openssh is doing. > - Changing padding requirements, authentication of the encrypted length: > > I see no need to change this in the context of a single algorithm. > Belongs into a more generic protocol redesign. I'm afraid some tweaks to the padding requirements are needed even if you only think of chacha-poly1305, the original padding rules don't make much sense when the length isn't encrypted in the same way as the rest of the payload. And I think it's desirable to have AEAD ciphers in ssh do things the same way. It's a bit annoying, because the details aren't terribly important, but it has to be nailed down, and I have difficulty finding a way that isn't a bit ugly in one way or the other. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller