OpenBSD Journal

ChaCha20 and Poly1305 in OpenSSH

Contributed by jcr on from the the-poly-cha-cha-is-the-new-dance-craze dept.

OpenBSD developer Damien Miller (djm@) wrote a great post titled "ChaCha20 and Poly1305 in OpenSSH" and below is a small excerpt:

Recently, I committed support for a new authenticated encryption cipher for OpenSSH, chacha20-poly1305@openssh.com. This cipher combines two primitives from Daniel J. Bernstein: the ChaCha20 cipher and the Poly1305 MAC (Message Authentication Code) and was inspired by Adam Langley's similar proposal for TLS.

Why another cipher and MAC? A few reasons... First, we would like a high-performance cipher to replace RC4 since it is pretty close to broken now, we'd also like an authenticated encryption mode to complement AES-GCM - which is great if your hardware supports it, but takes significant voodoo to make run in constant time and, finally, having an authenticated encryption mode that is based on a stream cipher allows us to encrypt the packet lengths again.

Wait, what do you mean by "encrypt the packet lengths again"? (last rhetorical question, I promise) Well, it's a long story that requires a little background...

(Comments are closed)


Comments
  1. By Andreas Andersson (85.230.125.88) on

    I love you.

  2. By Anonymous Coward (94.217.21.23) on

    Heh. You can improve your symmetric crypto all you like. It's no use when the NSA can intercept the symmetric key, is it? To be specific: The curve parameters of both NIST curves used by OpenSSH were selected by the NSA; what ever happened to nothing-up-your-sleeve numbers?

    Comments
    1. By \\ (2001:470:e4ef:1:ba97:5aff:fe04:fa60) on

      > Heh. You can improve your symmetric crypto all you like. It's no use when the NSA can intercept the symmetric key, is it? To be specific: The curve parameters of both NIST curves used by OpenSSH were selected by the NSA; what ever happened to nothing-up-your-sleeve numbers?

      Use RSA

      Comments
      1. By Anonymous Coward (178.7.28.75) on

        > > Heh. You can improve your symmetric crypto all you like. It's no use when the NSA can intercept the symmetric key, is it? To be specific: The curve parameters of both NIST curves used by OpenSSH were selected by the NSA; what ever happened to nothing-up-your-sleeve numbers?
        >
        > Use RSA

        It's a fix, not a solution. If it's likely to be backdoored, they should pull it.

  3. By Anonymous Coward (cnst) on http://bxr.su/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305

    What does this actually mean for the normal people, who don't work on crypto as their primary occupation, but simply use it as a black-box tool to accomplish other tasks?

    Is it just "a high-performance cipher to replace RC4 since it is pretty close to broken now" (to quote djm), or is it a great choice to use as the default protocol on, say, new x86 installations, where crypto use by ssh isn't know to be a bottleneck?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]