Re: ChaCha20-Poly1305 for SSH
Stefan Bühler <ietf-ssh@stbuehler.de> Tue, 03 May 2016 09:18 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5119412D69A for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 3 May 2016 02:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.296
X-Spam-Level:
X-Spam-Status: No, score=-5.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnIxF0yk2Yt0 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 3 May 2016 02:18:26 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0516512D142 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 3 May 2016 02:18:26 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id C277A85E62; Tue, 3 May 2016 09:18:24 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D90D384CFD for <ietf-ssh@netbsd.org>; Tue, 3 May 2016 09:18:19 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id dyHt9Le7idhp for <ietf-ssh@netbsd.org>; Tue, 3 May 2016 09:18:19 +0000 (UTC)
Received: from mail.stbuehler.de (stbuehler.de [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 7F83284CED for <ietf-ssh@netbsd.org>; Tue, 3 May 2016 09:18:18 +0000 (UTC)
Received: from chromobil-cert.local (unknown [IPv6:2001:7c0:2025:24d:faca:b8ff:fe3a:723]) by mail.stbuehler.de (Postfix) with ESMTPSA id 499DCB80458; Tue, 3 May 2016 09:18:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stbuehler.de; s=stbuehler1; t=1462267093; bh=rzM7ZXSguudwX3F2/SKLc0RDL78ez996PccFvKztoTg=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=3IeDXcuL8kQ2KcI6zYdiGSGKi6TuG/zmzHur2lbTznlm4MXMm47/R2Ggky1XpK/ou o0ZiJkfaRJNJD7LdY/la+wDQ02ovdXN2UYb5p82a+3rDMrdo+2TVh15YVNzRq4AH2W dp2GobFY0dFQ6chIxY/GbBUG8vHfPgD9egkZUfZQ=
Date: Tue, 03 May 2016 11:18:10 +0200
From: Stefan Bühler <ietf-ssh@stbuehler.de>
To: Damien Miller <djm@mindrot.org>
Cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
Message-ID: <20160503111810.096420bd@chromobil-cert.local>
In-Reply-To: <alpine.BSO.2.20.1605022339400.6962@natsu.mindrot.org>
References: <20160420101838.5861b73d@chromobil-cert.local> <alpine.BSO.2.20.1605022339400.6962@natsu.mindrot.org>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Hi Damien, On Tue, 3 May 2016 00:47:55 +1000 (AEST) Damien Miller <djm@mindrot.org> wrote: > On Wed, 20 Apr 2016, Stefan Bühler wrote: > > > Hi, > > > > some time ago I tried implementing ssh-chacha20-poly1305@openssh on > > my own and was rather disappointed by the state of the > > documentation in openssh (in the end the source code told me what I > > needed to know). > > > > Seeing draft-josefsson-ssh-chacha20-poly1305-openssh-00 I hoped > > there would be some improvement... but well, it is just a copy of > > the openssh file :) > > It would be helpful if you said what in the documentation was > insufficient so we can improve it. Fair enough: - "This forms two 256 bit keys (K_1 and K_2), used by two separate instances of chacha20.", and then K_1 is used to encrypt the length. But the keys are actually `K_2 || K_1` ! - There is no reference to EtM-modes and how they handle padding. - By saying "no MAC is required" one might think that the MAC length is zero and Poly1305 tag is somehow part of the packet content, and that the length of it needs to be reflected in the length field. But the MAC length is actually 16 bytes. I also feel the document is not structured very well, and a lot of things could be said more explicitly. But now I'm also curious: do you actually consider the document good enough to be published as RFC? > > So I started to work on it, and also read some of the following > > discussion on ietf-ssh. > > > > A large part of the discussion spun off discussing a whish list for > > a new binary packet protocol; changing the binary packet protocol > > probably requires rewriting core logic in many SSH implementations, > > so this should be done very carefully and not just for one cipher, > > and I somehow doubt it will happen soon. > > It's already happened: chacha20-poly1305 is supported by several > SSH implementations and uses a similar packet construction to > RFC5647 AES-GCM (with the exception of encryting the packet length). > There's also the -etm MACs in OpenSSH as Niels observes. I can't find it on http://ssh-comparison.quendi.de/comparison/cipher.html, and I hope it isn't actually named "chacha20-poly1305" without being listed in the IANA registry. Can you give me any pointers? Which Chacha20 nonce size does it use? Does it actually use "invocation counters" instead of the sequence counter? Does it use an IV as fixed part of the nonce, or just zero bytes? > > So I propose defining "chacha20-poly1305" as either the existing > > "chacha20-poly1305@openssh.com" or as a slightly modified variant: > > > > - using AEAD_CHACHA20_POLY1305 from RFC7539 > > - encrypt the packet length with otherwise discarded bytes from the > > first Chacha20 block, i.e. only a single Chacha20 instance > > I chose to use an independently-keyed instance of chacha20 for > length field encryption to be completely sure there could be > no possible decryption oracle between them. This was a deliberately > conservative choice that was fortunately cheap since chacha20 is so > fast. I have no real preference here, I just found it could be a nice option (I think Niels Möller presented it on the mailing list). > > - pad the nonce to 12 bytes with zeroes on the left side, so one can > > simply reuse the original Poly1305 implementation with a 8-byte > > nonce. > > - openssh patch: > > https://github.com/rus-cert/openssh-portable/tree/feature-chacha20-poly1305 > > I agree that if we are redoing the chacha20-poly1305 mode then it > should match the parameter lengths used in other IETF protocols. So the question is (again) whether we should do it or not. > [...] > > With regards to the future of the chacha20-poly1305, I'm hoping > to interest a researcher in looking into length-hiding as a > traffic-analysis countermeasure in the SSH protocol. The "Peek-a-boo" > paper considers fingerprinting websites in the web attack model, which > is very different to and in many ways more demanding than SSH's attack > model. It would be good to have more definitive research that targets > the SSH protocol and thread model passwords, keystroke timings, etc) > and make a decision based on that. > > With that out of the way, and if it yields a recommendation to > pursue length-hiding then it's probably worth revisiting the exact > construction. E.g. your proposal to use the remaining bytes from > the first block, but I wasn't aware of [1] when I designed this mode. I probably have to do some reading to even understand what this is about :) But I don't think this should be considered only for chacha20-poly1305 but for generic AEAD usage (if possible). - Stefan
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller