ChaCha20-Poly1305 for SSH

Simon Josefsson <simon@josefsson.org> Thu, 26 November 2015 10:09 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0A6C1B3809 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 02:09:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level:
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUn0gVdsmrWT for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 26 Nov 2015 02:09:28 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9E421A036A for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 26 Nov 2015 02:09:28 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id CF1FF14A1C8; Thu, 26 Nov 2015 10:09:26 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7D28314A1C5 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 10:09:18 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id jLQEm6XI6ypV for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 10:09:17 +0000 (UTC)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4F93814A1B7 for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 10:09:15 +0000 (UTC)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tAQA8x8V003857 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <ietf-ssh@netbsd.org>; Thu, 26 Nov 2015 11:09:01 +0100
X-Hashcash: 1:22:151126:ietf-ssh@netbsd.org::uFUF5vmXLBNMMeDE:UN7l
From: Simon Josefsson <simon@josefsson.org>
To: ietf-ssh@netbsd.org
Subject: ChaCha20-Poly1305 for SSH
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
Date: Thu, 26 Nov 2015 11:08:59 +0100
Message-ID: <87egfdxebo.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Hi.  I've taken Damien writeup on Damien/Markus's
chacha20-poly1305@openssh.com and put that into an IETF draft:

https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00

There have been some offlist conversation about how to move forward with
this in the IETF.  The challenge is that the construct differs from the
ChaCha20-Poly1305 construct used in RFC 7539.

To have something to start IETF discussions, I thought it would be
useful to have the OpenSSH-specific construct described in a draft.

We could turn this into an IETF blessed approach by stripping
"@openssh.com" and register that with IANA, similar to what is done for
curve25519.

We could also describe a new SSH encryption algorithm that is based on
the RFC 7539 construct.  Still using ChaCha20-Poly1305, of course, but
it would work differently.

As far as I understand, the critical technical difference between these
approaches is whether encrypting the length field is useful or not.  I'm
told that encryption the field is of limited use because traffic
analysis would see the packet lengths anyway.

Regardless of whether it is useful to do this, I believe it would be a
bad idea to push something in IETF that SSH implementers aren't
interested in implementing.  So if we do something other than stripping
@openssh.com I believe we will need to build consensus for doing that
among implementers first.

For consistency and simplicity of algorithm description, I do want to
see a RFC 7539 based approach explored though, and we may end up writing
a different draft on that.

If you are an SSH implementer that supports
chacha20-poly1305@openssh.com, are you interested in implementing
support for a more streamlined variant that would lack encryption of the
length field?

Does anyone see a strong need for encrypting the length field?

/Simon