PROTOCOL.chacha20poly1305 4.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108
  1. This document describes the chacha20-poly1305@openssh.com authenticated
  2. encryption cipher supported by OpenSSH.
  3. Background
  4. ----------
  5. ChaCha20 is a stream cipher designed by Daniel Bernstein and described
  6. in [1]. It operates by permuting 128 fixed bits, 128 or 256 bits of key,
  7. a 64 bit nonce and a 64 bit counter into 64 bytes of output. This output
  8. is used as a keystream, with any unused bytes simply discarded.
  9. Poly1305[2], also by Daniel Bernstein, is a one-time Carter-Wegman MAC
  10. that computes a 128 bit integrity tag given a message and a single-use
  11. 256 bit secret key.
  12. The chacha20-poly1305@openssh.com combines these two primitives into an
  13. authenticated encryption mode. The construction used is based on that
  14. proposed for TLS by Adam Langley in [3], but differs in the layout of
  15. data passed to the MAC and in the addition of encryption of the packet
  16. lengths.
  17. Negotiation
  18. -----------
  19. The chacha20-poly1305@openssh.com offers both encryption and
  20. authentication. As such, no separate MAC is required. If the
  21. chacha20-poly1305@openssh.com cipher is selected in key exchange,
  22. the offered MAC algorithms are ignored and no MAC is required to be
  23. negotiated.
  24. Detailed Construction
  25. ---------------------
  26. The chacha20-poly1305@openssh.com cipher requires 512 bits of key
  27. material as output from the SSH key exchange. This forms two 256 bit
  28. keys (K_1 and K_2), used by two separate instances of chacha20.
  29. The first 256 bits constitute K_2 and the second 256 bits become
  30. K_1.
  31. The instance keyed by K_1 is a stream cipher that is used only
  32. to encrypt the 4 byte packet length field. The second instance,
  33. keyed by K_2, is used in conjunction with poly1305 to build an AEAD
  34. (Authenticated Encryption with Associated Data) that is used to encrypt
  35. and authenticate the entire packet.
  36. Two separate cipher instances are used here so as to keep the packet
  37. lengths confidential but not create an oracle for the packet payload
  38. cipher by decrypting and using the packet length prior to checking
  39. the MAC. By using an independently-keyed cipher instance to encrypt the
  40. length, an active attacker seeking to exploit the packet input handling
  41. as a decryption oracle can learn nothing about the payload contents or
  42. its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure).
  43. The AEAD is constructed as follows: for each packet, generate a Poly1305
  44. key by taking the first 256 bits of ChaCha20 stream output generated
  45. using K_2, an IV consisting of the packet sequence number encoded as an
  46. uint64 under the SSH wire encoding rules and a ChaCha20 block counter of
  47. zero. The K_2 ChaCha20 block counter is then set to the little-endian
  48. encoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and this instance is used
  49. for encryption of the packet payload.
  50. Packet Handling
  51. ---------------
  52. When receiving a packet, the length must be decrypted first. When 4
  53. bytes of ciphertext length have been received, they may be decrypted
  54. using the K_1 key, a nonce consisting of the packet sequence number
  55. encoded as a uint64 under the usual SSH wire encoding and a zero block
  56. counter to obtain the plaintext length.
  57. Once the entire packet has been received, the MAC MUST be checked
  58. before decryption. A per-packet Poly1305 key is generated as described
  59. above and the MAC tag calculated using Poly1305 with this key over the
  60. ciphertext of the packet length and the payload together. The calculated
  61. MAC is then compared in constant time with the one appended to the
  62. packet and the packet decrypted using ChaCha20 as described above (with
  63. K_2, the packet sequence number as nonce and a starting block counter of
  64. 1).
  65. To send a packet, first encode the 4 byte length and encrypt it using
  66. K_1. Encrypt the packet payload (using K_2) and append it to the
  67. encrypted length. Finally, calculate a MAC tag and append it.
  68. Rekeying
  69. --------
  70. ChaCha20 must never reuse a {key, nonce} for encryption nor may it be
  71. used to encrypt more than 2^70 bytes under the same {key, nonce}. The
  72. SSH Transport protocol (RFC4253) recommends a far more conservative
  73. rekeying every 1GB of data sent or received. If this recommendation
  74. is followed, then chacha20-poly1305@openssh.com requires no special
  75. handling in this area.
  76. References
  77. ----------
  78. [1] "ChaCha, a variant of Salsa20", Daniel Bernstein
  79. http://cr.yp.to/chacha/chacha-20080128.pdf
  80. [2] "The Poly1305-AES message-authentication code", Daniel Bernstein
  81. http://cr.yp.to/mac/poly1305-20050329.pdf
  82. [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
  83. http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
  84. $OpenBSD: PROTOCOL.chacha20poly1305,v 1.5 2020/02/21 00:04:43 dtucker Exp $