Re: ChaCha20-Poly1305 for SSH

To: Niels Möller <nisse%lysator.liu.se@localhost>
Subject: Re: ChaCha20-Poly1305 for SSH
From: Damien Miller <djm%mindrot.org@localhost>
Date: Sun, 29 Nov 2015 22:42:10 +1100 (AEDT)

On Thu, 26 Nov 2015, Niels Möller wrote:

> So my suggestion is to go with rfc 7539, and in addition, encrypt the
> length field by something lietk
> 
>    encrypt_length(key, nonce, length)
>          counter = 0
>          block = chacha20_block(key,counter,nonce)
>          return block[32..35] ^ length
>          end
> 
> using the same key and nonce as input as with poly1305_key_gen in RFC
> 7539. (It's then possible, but not at all necessary, to generate the
> poly1305 key and encrypt the length key using a single call to
> chacha20_block. In contrast to chacha20-poly1305%openssh.com@localhost, which,
> iirc, uses a separate chacha key just for encrypting the lengths).

IMO if you're going to the trouble of preserving packet length
privacy then you should do it properly and use a separate cipher
instance to do it. In the case of chacha20, it's ridiculously cheap
to do so; the cipher has negligible state.

-d

Follow-Ups:
- Re: ChaCha20-Poly1305 for SSH
  - From: Niels Möller

References:
- ChaCha20-Poly1305 for SSH
  - From: Simon Josefsson
- Re: ChaCha20-Poly1305 for SSH
  - From: Niels Möller

Prev by Date: Re: Binary packet protocol rethink
Next by Date: Re: Binary packet protocol rethink (was: Re: ChaCha20-Poly1305 for SSH)
Previous by Thread: Re: Binary packet protocol rethink
Next by Thread: Re: ChaCha20-Poly1305 for SSH
Indexes:

Home | Main Index | Thread Index | Old Index