Re: ChaCha20-Poly1305 for SSH

nisse@lysator.liu.se (Niels Möller ) Thu, 26 November 2015 15:44 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252FD1B3B69 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 07:44:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.185
X-Spam-Level:
X-Spam-Status: No, score=-2.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NGt_4rkDH9D for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 07:44:32 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CB8A1B3B36 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 26 Nov 2015 07:44:32 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 3953814A18F; Thu, 26 Nov 2015 15:44:29 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 20DA214A18E for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 15:44:24 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id TP5IC8-5hRT8 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 15:44:23 +0000 (UTC)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 3977914A14B for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 15:44:21 +0000 (UTC)
Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 911C840027; Thu, 26 Nov 2015 16:44:18 +0100 (CET)
Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 710964000B; Thu, 26 Nov 2015 16:44:17 +0100 (CET)
Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Thu, 26 Nov 2015 16:44:17 +0100
From: nisse@lysator.liu.se
To: Simon Josefsson <simon@josefsson.org>
Cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
References: <87egfdxebo.fsf@latte.josefsson.org>
Date: Thu, 26 Nov 2015 16:44:17 +0100
In-Reply-To: <87egfdxebo.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu, 26 Nov 2015 11:08:59 +0100")
Message-ID: <nny4dksr3i.fsf@armitage.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Simon Josefsson <simon@josefsson.org> writes:

> We could also describe a new SSH encryption algorithm that is based on
> the RFC 7539 construct.  Still using ChaCha20-Poly1305, of course, but
> it would work differently.
>
> As far as I understand, the critical technical difference between these
> approaches is whether encrypting the length field is useful or not.

It also uses a different formatting of the poly1305 input, which aligns
the poly1305 blocks with the chacha blocks. Which should be beneficial
in particular for hardware implementations.

> I'm told that encryption the field is of limited use because traffic
> analysis would see the packet lengths anyway.

I don't think that analysis is correct. (See below).

Nevertheless, I think it makes sense to use the rfc 7539 construction.

So my suggestion is to go with rfc 7539, and in addition, encrypt the
length field by something lietk

   encrypt_length(key, nonce, length)
         counter = 0
         block = chacha20_block(key,counter,nonce)
         return block[32..35] ^ length
         end

using the same key and nonce as input as with poly1305_key_gen in RFC
7539. (It's then possible, but not at all necessary, to generate the
poly1305 key and encrypt the length key using a single call to
chacha20_block. In contrast to chacha20-poly1305@openssh.com, which,
iirc, uses a separate chacha key just for encrypting the lengths).

Care is needed to specify the negotiation of aead algorithms, and
the details of what goes into the associated data.

> Does anyone see a strong need for encrypting the length field?

Yes. I think it's valuable defence-in-depth to hide packet lengths and
message boundaries. Note that in the ssh protocol, the boundaries of the
TCP segments need not match the SSH message boundaries at all. It's not
too difficult to arrange that most or all segment boundaries are in the
middle of an ssh message, using SSH_MSG_IGNORE packets when needed.

I won't argue that it is easy to make traffic analysis impossible, but I
believe it's still valuable to make traffic analysis harder.

Best regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.