Contributed by pitrh on from the puffy do the chacha to the poly dept.
My task at ü2k15 was to implement Chacha20-Poly1305 authenticated encryption mode for use in the IPsec stack within the Encapsulating Security Payload (ESP) protocol.
The Authenticated Encryption with Associated Data (AEAD) construction for Chacha20 stream cipher and Poly1305 polynomial Message Authentication Code (MAC) is described in the RFC7539 and its application in IPsec/ESP can be found in RFC7634.
A few steps were required in order to integrate this AEAD construction into the OpenBSD Cryptographic Framework (OCF) and the IPsec stack:
- Chacha20 initialization vector (IV) setup routine needed to be able to initialize its 64-bit counter state to the provided 32-bit salt and 32-bit initial counter value. Chacha implementation used in the kernel lacked this part of the API and was updated with changes from the implementation used in the OpenSSH.
- Poly1305 implementation must have been made available inside the kernel to provide an API usable by the OCF. Andrew Moon's 32-bit multiplication optimized implementation was imported and slightly adjusted to fit OCF.
- An API needed to be implemented on top of Chacha20 and Poly1305 to ensure compatibility with the OCF interface defined in xform.c and xform.h. In order to do so a small shim was implemented that has wrapped Chacha20 encryption and Poly1305 authentication methods together and ensured the correct initialization and key generation order.
- Chacha20-Poly1305, unlike AES-GCM-16, uses different block sizes for cipher (64 bytes) and authenticator (16 bytes) and that required a few changes in order to make sure the right value was used for the required operation. This has also increased the maximum encryption block size constant that sizes a few buffers in the kernel. It was made sure that all operations that depend on this will act correctly.
- A new format for the finalization lengths block has been devised for Chacha20-Poly1305 that uses little endian encoding (unlike GCM that uses big endian). Software crypto driver was adjusted accordingly.
- Support in userland tools was limited to IKEv2 Child SA negotiations and ipsecctl(8) decoding of data obtained from the kernel.
The implementation was verified using test vectors and live IPsec traffic between two OpenBSD hosts. A test against the Strongswan implementation is planned for the future.
I would like to thank IN-Berlin, Stefan Sperling and all Berlin based OpenBSD developers for organizing another amazing event!
Needless to say that this work wouldn't be possible without commitment to open cryptography standards by Chacha20 and Poly1305 inventors and implementors Daniel J. Bernstein and Andrew Moon as well as the willingness of IETF (Y. Nir et al.) and Google (A. Langley et al.) to push these algorithms forward. Huge thanks!
Thanks for this important work and the report, Mike!
(Comments are closed)