Re: ChaCha20-Poly1305 for SSH
Stefan Bühler <ietf-ssh@stbuehler.de> Wed, 20 April 2016 08:18 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3886312D6CE for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 20 Apr 2016 01:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.296
X-Spam-Level:
X-Spam-Status: No, score=-5.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqzLX7-T6uEO for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 20 Apr 2016 01:18:54 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D971312B05F for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 20 Apr 2016 01:18:51 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 38F8E85F03; Wed, 20 Apr 2016 08:18:51 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1EDB985EC0 for <ietf-ssh@netbsd.org>; Wed, 20 Apr 2016 08:18:47 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id rjoUjyzqKNmU for <ietf-ssh@netbsd.org>; Wed, 20 Apr 2016 08:18:46 +0000 (UTC)
Received: from mail.stbuehler.de (stbuehler.de [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id D207A84CEE for <ietf-ssh@netbsd.org>; Wed, 20 Apr 2016 08:18:45 +0000 (UTC)
Received: from chromobil-cert.local (unknown [IPv6:2a02:8070:a1be:1600:faca:b8ff:fe3a:723]) by mail.stbuehler.de (Postfix) with ESMTPSA id A1D72B803BA for <ietf-ssh@netbsd.org>; Wed, 20 Apr 2016 08:18:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stbuehler.de; s=stbuehler1; t=1461140319; bh=iUx4Iz7VzTy/cV+dlVKOb0THS2aG0OaxB3dDVeG2yvs=; h=Date:From:To:Subject:From; b=metjDCjk9E4dcRJK6DlwPiyi6OsVD7N0ITT+55vLtLokGolPa6pjwR/LYxrVQ1NXA zdQ76fbACquGfY2FXX+RJ/DeE2ToFr5eTTRTb01TTltadmv9+KQGb2RYUkUzNGtF52 En+dXh9t6kCyG76SpeChVanGNE86pF672I9L29x8=
Date: Wed, 20 Apr 2016 10:18:38 +0200
From: Stefan Bühler <ietf-ssh@stbuehler.de>
To: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
Message-ID: <20160420101838.5861b73d@chromobil-cert.local>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Hi, some time ago I tried implementing ssh-chacha20-poly1305@openssh on my own and was rather disappointed by the state of the documentation in openssh (in the end the source code told me what I needed to know). Seeing draft-josefsson-ssh-chacha20-poly1305-openssh-00 I hoped there would be some improvement... but well, it is just a copy of the openssh file :) So I started to work on it, and also read some of the following discussion on ietf-ssh. A large part of the discussion spun off discussing a whish list for a new binary packet protocol; changing the binary packet protocol probably requires rewriting core logic in many SSH implementations, so this should be done very carefully and not just for one cipher, and I somehow doubt it will happen soon. So I propose defining "chacha20-poly1305" as either the existing "chacha20-poly1305@openssh.com" or as a slightly modified variant: - using AEAD_CHACHA20_POLY1305 from RFC7539 - encrypt the packet length with otherwise discarded bytes from the first Chacha20 block, i.e. only a single Chacha20 instance - pad the nonce to 12 bytes with zeroes on the left side, so one can simply reuse the original Poly1305 implementation with a 8-byte nonce. - openssh patch: https://github.com/rus-cert/openssh-portable/tree/feature-chacha20-poly1305 The "full" documents can be found here: https://github.com/rus-cert/ssh-chacha20-poly1305-drafts It would be nice to get some feedback on whether there is interest in getting "chacha20-poly1305" out before a protocol redesign and which variant to go for. If there is no interest in getting an RFC for this maybe at least the openssh devs are interested in fixing their documentation :) --- As far as I could see the following questions were raised in the context of the original draft announcement and some later AEAD discussions. My comments on them should explain why I think the openssh variant is basically ok, and why I wouldn't pull more changes into a modified version than I did above. - Whether to use the Poly1305 data construction from RFC7539: At first I thought the Poly1305 usage in "chacha20-poly1305@openssh.com" is vulnerable to some length modifications; but then I remembered that Poly1305 uses an explicit termination in the padding. As the length of the AAD is fixed I see no security gain changing to the method described in RFC7539. - Whether it is necesary to encrypt the packet length field: Some voiced a strong preference for this as a requirement to prevent traffic analysis. It was pointed out the encrypted could lead to some extra attack surface (or has done so in other protocols in the past), but I think it is safe in the context of Chacha20. I see nothing an attacker could gain here compared to not encrypting the length. - Encrypting the packet length using otherwise discarded bytes from the Chacha20 block used for the Poly1305 key: It is a nice idea which can be used to optimize both performance and memory usage. - Binary packet protocol rethink: This is certainly worth exploring, but I don't think this needs to be completed before "chacha20-poly1305" becomes official. I think a new family of algorithms could be started with a different binary packet protocol, or even a new SSH protocol version. (My idea for a new protocol: separate encryption framing and inner message framing. No need to hide the outer packet length anymore.) - Changing padding requirements, authentication of the encrypted length: I see no need to change this in the context of a single algorithm. Belongs into a more generic protocol redesign. Cheers, Stefan
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller