Re: ChaCha20-Poly1305 for SSH
Stefan Bühler <ietf-ssh@stbuehler.de> Fri, 22 April 2016 10:57 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31ECC12E694 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Fri, 22 Apr 2016 03:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.296
X-Spam-Level:
X-Spam-Status: No, score=-5.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCgOoFZV2kyH for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Fri, 22 Apr 2016 03:57:48 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A6A512E68B for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Fri, 22 Apr 2016 03:57:48 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 88AE085E96; Fri, 22 Apr 2016 10:57:46 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 6278285E58 for <ietf-ssh@netbsd.org>; Fri, 22 Apr 2016 10:57:40 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 1krWsfAc8SWy for <ietf-ssh@netbsd.org>; Fri, 22 Apr 2016 10:57:39 +0000 (UTC)
Received: from mail.stbuehler.de (stbuehler.de [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id E60F484CEE for <ietf-ssh@netbsd.org>; Fri, 22 Apr 2016 10:57:37 +0000 (UTC)
Received: from chromobil-cert.local (unknown [82.113.98.240]) by mail.stbuehler.de (Postfix) with ESMTPSA id 9F412B80426; Fri, 22 Apr 2016 10:57:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stbuehler.de; s=stbuehler1; t=1461322654; bh=g7ZkacO9SCLith4+Mfn9eyN11AujEptZU4QCsax7Q7k=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=nM3GSUDSPP1m56Gbmt2xOjM2Up22Iud+Vke/wOhM08ZrOpsCCFAZJlNTSidK9S9P0 sHFcNKYcGdfOE7mEDlH2qQfR1Kqu4KGemVZa9waCWD8D9wHLM/tw1rLXuUHXmuOEKq AK+YsTlJGuypuhbIWA6YYqWxENFfMGgzWP19rwo0=
Date: Fri, 22 Apr 2016 12:57:31 +0200
From: Stefan Bühler <ietf-ssh@stbuehler.de>
To: ietf-ssh@netbsd.org
Cc: nisse@lysator.liu.se
Subject: Re: ChaCha20-Poly1305 for SSH
Message-ID: <20160422125731.56e804dc@chromobil-cert.local>
In-Reply-To: <nntwiuu61g.fsf@armitage.lysator.liu.se>
References: <20160420101838.5861b73d@chromobil-cert.local> <nntwiuu61g.fsf@armitage.lysator.liu.se>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Hi Niels, thanks for your feedback! On Thu, 21 Apr 2016 21:15:55 +0200 nisse@lysator.liu.se (Niels Möller) wrote: > Stefan Bühler <ietf-ssh@stbuehler.de> writes: > [...] > > I hope you've also seen draft-nisse-secsh-aead-00. I'm replying > looking for ways to improve that and move forward. My feeling is that this document already is the "protocol rethink" (and not just a "small algorithm family"), because: - a "protocol rethink" would only allow AEAD anyway - when core packet handling is changed it should be done right in the first place So let me repeat my idea for a new protocol here: I'd separate the cryptographic message framing from the SSH message framing. That way one could really use "any" standard AEAD interface without the need to specify how the packet length is encrypted with each single AEAD, simpler nonce generation, ... > [...] > > - pad the nonce to 12 bytes with zeroes on the left side, so one can > > simply reuse the original Poly1305 implementation with a 8-byte > > nonce. > > I'm not following you here. And I'm not sure what you mean by > "original poly1305". Poly1305-AES as defined in > http://cr.yp.to/mac/poly1305-20050329.pdf? Or the salsa20-poly1305 > described in http://cr.yp.to/highspeed/naclcrypto-20090310.pdf, which > I think is what chacha-poly1305 evolved from? I don't think either > uses an 8-byte nonce. Oh my... sorry. I meant Chacha20 of course; DJBs original definition uses a little-endian 64-bit block-counter and a 64-bit nonce (often the packet counter). RFC7539 moves the trailing 4 bytes from the block counter (which are almost always zero - no packet is that big) and prepends them to the nonce in the interface (but does the same thing internally) to get the "standard" 12-byte nonce interface. (This also applies to how the Salsa20 streaming function in naclcrypto-20090310.pdf is applied. Chacha20 copies the definition of the 16-byte input from Salsa20.) Also see how I didn't need to change the Chacha20 nonce or implementation for the openssh patch. > > - Whether to use the Poly1305 data construction from RFC7539: > > > > At first I thought the Poly1305 usage in > > "chacha20-poly1305@openssh.com" is vulnerable to some length > > modifications; but then I remembered that Poly1305 uses an > > explicit termination in the padding. > > As a crypto library author, I'd really prefer if there were a single > definition of chacha-poly1305 used in all applications. But that's > maybe not a very compelling argument for ssh protocol design. There > may also be reasons of ietf politics to stick to ietf's definition. Yes, I'd prefer that too. But is the preference important enough to modify an already existing protocol? > [...] > > - Whether it is necesary to encrypt the packet length field: > > > > Some voiced a strong preference for this as a requirement to > > prevent traffic analysis. > > > > It was pointed out the encrypted could lead to some extra attack > > surface (or has done so in other protocols in the past), but I > > think it is safe in the context of Chacha20. I see nothing an > > attacker could gain here compared to not encrypting the length. > > My quite strong opinion is that we shouldn't force others to choose > between encrypted packet lengths, and using chacha-poly1305. And when > writing a specification which mentions this topic, I'd like to > recommend that other AEAD ciphers also encrypt the packet lengths, > and give some clear guidance on how to do it properly. Sounds good to me. > > - Encrypting the packet length using otherwise discarded bytes from > > the Chacha20 block used for the Poly1305 key: > > > > It is a nice idea which can be used to optimize both performance > > and memory usage. > > I agree it's a nice idea. I didn't go that way in my draft, because > (i) the optimization is minor, a single chacha_core operation and > very small state, and (2) because it's very algorithm specific, it > doesn't generalize to other AEAD ciphers. I'd be happy to change, if > there is support for this idea. I also consider this optional in my "variant" proposal; I'd be also fine with the current openssh implementation simply using a second key. When encrypting the packet length is still required (see my comments regarding "protocol rethink" above) I think using different nonces in a generic AEAD specification is a good idea (although I don't think the shift by one bit is a good idea. I'd rather shift by 32-bits, requiring a >= 8-byte nonce instead of >= 5-byte). > Also note that it's straightforward to this based on a pure > RFC5116-style interface to chacha-poly1305, which doesn't output the > additional bytes of the first block: simply run chacha20 one more time > to get the bytes used for length encryption. No less efficient than > using a separate chacha instance, like openssh is doing. Agreed. > > - Changing padding requirements, authentication of the encrypted > > length: > > > > I see no need to change this in the context of a single algorithm. > > Belongs into a more generic protocol redesign. > > I'm afraid some tweaks to the padding requirements are needed even if > you only think of chacha-poly1305, the original padding rules don't > make much sense when the length isn't encrypted in the same way as > the rest of the payload. Sorry :) I considered the EtM padding handling as done in openssh a "standard"; I meant I'd rather avoid further changes in context of a single algorithm: I'd keep the "at least four bytes" and "pad to multiple of min(8, blocksize)" requirements (which results in a minimum packet size of 12 bytes instead of 16 with MtE). > And I think it's desirable to have AEAD ciphers in ssh do things the > same way. It's a bit annoying, because the details aren't terribly > important, but it has to be nailed down, and I have difficulty > finding a way that isn't a bit ugly in one way or the other. I agree that a better AEAD integration is needed, and that it should be done in a consistent way. The question remains: push "chacha20-poly1305" being identical or close to the openssh one or wait for a generic AEAD / "protocol rethink"? Cheers, Stefan
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller