Re: ChaCha20-Poly1305 for SSH
Damien Miller <djm@mindrot.org> Sun, 29 November 2015 11:42 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 413291A7D84 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 29 Nov 2015 03:42:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.185
X-Spam-Level:
X-Spam-Status: No, score=-2.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GtfJ6jgIR_E6 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sun, 29 Nov 2015 03:42:41 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 888531A6FB9 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sun, 29 Nov 2015 03:42:41 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 562B514A2FA; Sun, 29 Nov 2015 11:42:40 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0B25814A2F6 for <ietf-ssh@netbsd.org>; Sun, 29 Nov 2015 11:42:35 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id GAk_L9rryA59 for <ietf-ssh@netbsd.org>; Sun, 29 Nov 2015 11:42:34 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub2.soe.uq.edu.au [130.102.132.209]) by mail.netbsd.org (Postfix) with ESMTP id DB4EE14A2F4 for <ietf-ssh@netbsd.org>; Sun, 29 Nov 2015 11:42:33 +0000 (UTC)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id tATBgB2B004478; Sun, 29 Nov 2015 21:42:11 +1000
Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id tATBgBYR029489 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 29 Nov 2015 21:42:11 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id tATBgA86023256; Sun, 29 Nov 2015 21:42:11 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 9289CA4F2E; Sun, 29 Nov 2015 22:42:10 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 91DA6A4F07; Sun, 29 Nov 2015 22:42:10 +1100 (AEDT)
Date: Sun, 29 Nov 2015 22:42:10 +1100
From: Damien Miller <djm@mindrot.org>
To: Niels Möller <nisse@lysator.liu.se>
cc: Simon Josefsson <simon@josefsson.org>, ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
In-Reply-To: <nny4dksr3i.fsf@armitage.lysator.liu.se>
Message-ID: <alpine.BSO.2.20.1511292239430.12629@natsu.mindrot.org>
References: <87egfdxebo.fsf@latte.josefsson.org> <nny4dksr3i.fsf@armitage.lysator.liu.se>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="15775414878208-1685046499-1448797330=:12629"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58
X-UQ-FilterTime: 1448797331
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
On Thu, 26 Nov 2015, Niels Möller wrote: > So my suggestion is to go with rfc 7539, and in addition, encrypt the > length field by something lietk > > encrypt_length(key, nonce, length) > counter = 0 > block = chacha20_block(key,counter,nonce) > return block[32..35] ^ length > end > > using the same key and nonce as input as with poly1305_key_gen in RFC > 7539. (It's then possible, but not at all necessary, to generate the > poly1305 key and encrypt the length key using a single call to > chacha20_block. In contrast to chacha20-poly1305@openssh.com, which, > iirc, uses a separate chacha key just for encrypting the lengths). IMO if you're going to the trouble of preserving packet length privacy then you should do it properly and use a separate cipher instance to do it. In the case of chacha20, it's ridiculously cheap to do so; the cipher has negligible state. -d
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller