ChaCha20-Poly1305 for SSH
Simon Josefsson <simon@josefsson.org> Thu, 26 November 2015 10:09 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0A6C1B3809 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 02:09:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level:
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUn0gVdsmrWT for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 02:09:28 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9E421A036A for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 26 Nov 2015 02:09:28 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id CF1FF14A1C8; Thu, 26 Nov 2015 10:09:26 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7D28314A1C5 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 10:09:18 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id jLQEm6XI6ypV for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 10:09:17 +0000 (UTC)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4F93814A1B7 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 10:09:15 +0000 (UTC)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tAQA8x8V003857 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 11:09:01 +0100
X-Hashcash: 1:22:151126:ietf-ssh@netbsd.org::uFUF5vmXLBNMMeDE:UN7l
From: Simon Josefsson <simon@josefsson.org>
To: ietf-ssh@netbsd.org
Subject: ChaCha20-Poly1305 for SSH
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
Date: Thu, 26 Nov 2015 11:08:59 +0100
Message-ID: <87egfdxebo.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Hi. I've taken Damien writeup on Damien/Markus's chacha20-poly1305@openssh.com and put that into an IETF draft: https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00 There have been some offlist conversation about how to move forward with this in the IETF. The challenge is that the construct differs from the ChaCha20-Poly1305 construct used in RFC 7539. To have something to start IETF discussions, I thought it would be useful to have the OpenSSH-specific construct described in a draft. We could turn this into an IETF blessed approach by stripping "@openssh.com" and register that with IANA, similar to what is done for curve25519. We could also describe a new SSH encryption algorithm that is based on the RFC 7539 construct. Still using ChaCha20-Poly1305, of course, but it would work differently. As far as I understand, the critical technical difference between these approaches is whether encrypting the length field is useful or not. I'm told that encryption the field is of limited use because traffic analysis would see the packet lengths anyway. Regardless of whether it is useful to do this, I believe it would be a bad idea to push something in IETF that SSH implementers aren't interested in implementing. So if we do something other than stripping @openssh.com I believe we will need to build consensus for doing that among implementers first. For consistency and simplicity of algorithm description, I do want to see a RFC 7539 based approach explored though, and we may end up writing a different draft on that. If you are an SSH implementer that supports chacha20-poly1305@openssh.com, are you interested in implementing support for a more streamlined variant that would lack encryption of the length field? Does anyone see a strong need for encrypting the length field? /Simon
- ChaCha20-Poly1305 for SSH Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Binary packet protocol rethink (was: Re: ChaCha20… Simon Tatham
- Re: Binary packet protocol rethink Simon Josefsson
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- RE: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Damien Miller
- Re: Binary packet protocol rethink (was: Re: ChaC… Mark D. Baushke
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- RE: Binary packet protocol rethink (was: Re: ChaC… Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Simon Tatham
- Re: Binary packet protocol rethink (was: Re: ChaC… Simon Josefsson
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Bryan Ford
- Re: Binary packet protocol rethink Bryan Ford
- RE: Binary packet protocol rethink Peter Gutmann
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Niels Möller
- Re: Binary packet protocol rethink Niels Möller
- RE: Binary packet protocol rethink Peter Gutmann
- Re: Binary packet protocol rethink Bryan Ford
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Niels Möller
- Re: ChaCha20-Poly1305 for SSH Damien Miller
- Re: ChaCha20-Poly1305 for SSH Stefan Bühler
- Re: ChaCha20-Poly1305 for SSH Damien Miller