Re: ChaCha20-Poly1305 for SSH
Damien Miller <djm@mindrot.org> Mon, 02 May 2016 16:00 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E675F12D582 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 2 May 2016 09:00:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gu4ChGAfjEjV for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Mon, 2 May 2016 09:00:08 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAF3812D57E for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Mon, 2 May 2016 09:00:08 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 6C04885EEE; Mon, 2 May 2016 16:00:07 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4FFE285E7C for <ietf-ssh@netbsd.org>; Mon, 2 May 2016 16:00:03 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 9pvPyBJGjJLC for <ietf-ssh@netbsd.org>; Mon, 2 May 2016 16:00:02 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub2.soe.uq.edu.au [130.102.132.209]) by mail.netbsd.org (Postfix) with ESMTP id 5820C85E3C for <ietf-ssh@netbsd.org>; Mon, 2 May 2016 16:00:02 +0000 (UTC)
Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u42EluA0024196; Tue, 3 May 2016 00:47:57 +1000
Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u42EluT7032807 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 3 May 2016 00:47:56 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u42EltpP029293 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Tue, 3 May 2016 00:47:56 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 9D305A4F32; Tue, 3 May 2016 00:47:55 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 96AC0A4F31; Tue, 3 May 2016 00:47:55 +1000 (AEST)
Date: Tue, 03 May 2016 00:47:55 +1000
From: Damien Miller <djm@mindrot.org>
To: Stefan Bühler <ietf-ssh@stbuehler.de>
cc: ietf-ssh@netbsd.org
Subject: Re: ChaCha20-Poly1305 for SSH
In-Reply-To: <20160420101838.5861b73d@chromobil-cert.local>
Message-ID: <alpine.BSO.2.20.1605022339400.6962@natsu.mindrot.org>
References: <20160420101838.5861b73d@chromobil-cert.local>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="0-286732729-1462198420=:6962"
Content-ID: <alpine.BSO.2.20.1605030040270.6962@natsu.mindrot.org>
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58
X-UQ-FilterTime: 1462200478
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
On Wed, 20 Apr 2016, Stefan Bühler wrote: > Hi, > > some time ago I tried implementing ssh-chacha20-poly1305@openssh on my > own and was rather disappointed by the state of the documentation in > openssh (in the end the source code told me what I needed to know). > > Seeing draft-josefsson-ssh-chacha20-poly1305-openssh-00 I hoped there > would be some improvement... but well, it is just a copy of the openssh > file :) It would be helpful if you said what in the documentation was insufficient so we can improve it. > So I started to work on it, and also read some of the following > discussion on ietf-ssh. > > A large part of the discussion spun off discussing a whish list for a > new binary packet protocol; changing the binary packet protocol probably > requires rewriting core logic in many SSH implementations, so this > should be done very carefully and not just for one cipher, and I somehow > doubt it will happen soon. It's already happened: chacha20-poly1305 is supported by several SSH implementations and uses a similar packet construction to RFC5647 AES-GCM (with the exception of encryting the packet length). There's also the -etm MACs in OpenSSH as Niels observes. > So I propose defining "chacha20-poly1305" as either the existing > "chacha20-poly1305@openssh.com" or as a slightly modified variant: > > - using AEAD_CHACHA20_POLY1305 from RFC7539 > - encrypt the packet length with otherwise discarded bytes from the > first Chacha20 block, i.e. only a single Chacha20 instance I chose to use an independently-keyed instance of chacha20 for length field encryption to be completely sure there could be no possible decryption oracle between them. This was a deliberately conservative choice that was fortunately cheap since chacha20 is so fast. > - pad the nonce to 12 bytes with zeroes on the left side, so one can > simply reuse the original Poly1305 implementation with a 8-byte nonce. > - openssh patch: > https://github.com/rus-cert/openssh-portable/tree/feature-chacha20-poly1305 I agree that if we are redoing the chacha20-poly1305 mode then it should match the parameter lengths used in other IETF protocols. > The "full" documents can be found here: > https://github.com/rus-cert/ssh-chacha20-poly1305-drafts > > It would be nice to get some feedback on whether there is interest in > getting "chacha20-poly1305" out before a protocol redesign and which > variant to go for. > > If there is no interest in getting an RFC for this maybe at least the > openssh devs are interested in fixing their documentation :) Like I said, it would be great if you let us know what in particular was deficient in the documentation so we can fix it. With regards to the future of the chacha20-poly1305, I'm hoping to interest a researcher in looking into length-hiding as a traffic-analysis countermeasure in the SSH protocol. The "Peek-a-boo" paper considers fingerprinting websites in the web attack model, which is very different to and in many ways more demanding than SSH's attack model. It would be good to have more definitive research that targets the SSH protocol and thread model passwords, keystroke timings, etc) and make a decision based on that. With that out of the way, and if it yields a recommendation to pursue length-hiding then it's probably worth revisiting the exact construction. E.g. your proposal to use the remaining bytes from the first block, but I wasn't aware of [1] when I designed this mode. -d [1] http://www.iacr.org/archive/eurocrypt2012/72370677/72370677.pdf
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller