Re: ChaCha20-Poly1305 for SSH
nisse@lysator.liu.se (Niels Möller ) Thu, 26 November 2015 15:44 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252FD1B3B69 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 07:44:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.185
X-Spam-Level:
X-Spam-Status: No, score=-2.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NGt_4rkDH9D for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 07:44:32 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CB8A1B3B36 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 26 Nov 2015 07:44:32 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 3953814A18F; Thu, 26 Nov 2015 15:44:29 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 20DA214A18E for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 15:44:24 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id TP5IC8-5hRT8 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 15:44:23 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 3977914A14B for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 15:44:21 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 911C840027; Thu, 26 Nov 2015 16:44:18 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 710964000B; Thu, 26 Nov 2015 16:44:17 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Thu, 26 Nov 2015 16:44:17 +0100
From: nisse@lysator.liu.se
To: Simon Josefsson <simon@josefsson.org>
Cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
References: <87egfdxebo.fsf@latte.josefsson.org>
Date: Thu, 26 Nov 2015 16:44:17 +0100
In-Reply-To: <87egfdxebo.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu, 26 Nov 2015 11:08:59 +0100")
Message-ID: <nny4dksr3i.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Simon Josefsson <simon@josefsson.org> writes: > We could also describe a new SSH encryption algorithm that is based on > the RFC 7539 construct. Still using ChaCha20-Poly1305, of course, but > it would work differently. > > As far as I understand, the critical technical difference between these > approaches is whether encrypting the length field is useful or not. It also uses a different formatting of the poly1305 input, which aligns the poly1305 blocks with the chacha blocks. Which should be beneficial in particular for hardware implementations. > I'm told that encryption the field is of limited use because traffic > analysis would see the packet lengths anyway. I don't think that analysis is correct. (See below). Nevertheless, I think it makes sense to use the rfc 7539 construction. So my suggestion is to go with rfc 7539, and in addition, encrypt the length field by something lietk encrypt_length(key, nonce, length) counter = 0 block = chacha20_block(key,counter,nonce) return block[32..35] ^ length end using the same key and nonce as input as with poly1305_key_gen in RFC 7539. (It's then possible, but not at all necessary, to generate the poly1305 key and encrypt the length key using a single call to chacha20_block. In contrast to chacha20-poly1305@openssh.com, which, iirc, uses a separate chacha key just for encrypting the lengths). Care is needed to specify the negotiation of aead algorithms, and the details of what goes into the associated data. > Does anyone see a strong need for encrypting the length field? Yes. I think it's valuable defence-in-depth to hide packet lengths and message boundaries. Note that in the ssh protocol, the boundaries of the TCP segments need not match the SSH message boundaries at all. It's not too difficult to arrange that most or all segment boundaries are in the middle of an ssh message, using SSH_MSG_IGNORE packets when needed. I won't argue that it is easy to make traffic analysis impossible, but I believe it's still valuable to make traffic analysis harder. Best regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller