Skip to main content

Secure Shell (SSH) authenticated encryption cipher: chacha20-poly1305
draft-josefsson-ssh-chacha20-poly1305-openssh-01

Document Type Active Internet-Draft (individual)
Authors Damien Miller , Simon Josefsson
Last updated 2024-08-21
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-josefsson-ssh-chacha20-poly1305-openssh-01
Network Working Group                                          D. Miller
Internet-Draft                                                   OpenSSH
Intended status: Informational                              S. Josefsson
Expires: 22 February 2025                                         SJD AB
                                                          21 August 2024

 Secure Shell (SSH) authenticated encryption cipher: chacha20-poly1305
            draft-josefsson-ssh-chacha20-poly1305-openssh-01

Abstract

   This document describes the Secure Shell (SSH) chacha20-poly1305
   authenticated encryption cipher.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 22 February 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Miller & Josefsson      Expires 22 February 2025                [Page 1]
Internet-Draft            SSH chacha20-poly1305              August 2024

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Negotiation . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Detailed Construction . . . . . . . . . . . . . . . . . . . .   3
   4.  Packet Handling . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  Rekeying  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   4
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   4
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   ChaCha20 is a stream cipher designed by Daniel Bernstein and
   described in [ChaCha].  It operates by permuting 128 fixed bits, 128
   or 256 bits of key, a 64 bit nonce and a 64 bit counter into 64 bytes
   of output.  This output is used as a keystream, with any unused bytes
   simply discarded.

   Poly1305 [Poly1305], also by Daniel Bernstein, is a one-time Carter-
   Wegman MAC that computes a 128 bit integrity tag given a message and
   a single-use 256 bit secret key.

   The "chacha20-poly1305" cipher combines these two primitives into an
   authenticated encryption mode.  The construction used is based on
   that proposed for TLS by Adam Langley in
   [I-D.agl-tls-chacha20poly1305], but differs in the layout of data
   passed to the MAC and in the addition of encyption of the packet
   lengths.

   This document specify and register "chacha20-poly1305" to be
   identical to the already widely deployed
   "chacha20-poly1305@openssh.com".

2.  Negotiation

   The "chacha20-poly1305" offers both encryption and authentication.
   As such, no separate MAC is required.  If the "chacha20-poly1305"
   cipher is selected in key exchange, the offered MAC algorithms are
   ignored and no MAC is required to be negotiated.

Miller & Josefsson      Expires 22 February 2025                [Page 2]
Internet-Draft            SSH chacha20-poly1305              August 2024

3.  Detailed Construction

   The "chacha20-poly1305" cipher requires 512 bits of key material as
   output from the SSH key exchange.  This forms two 256 bit keys (K_1
   and K_2), used by two separate instances of chacha20.

   The instance keyed by K_1 is a stream cipher that is used only to
   encrypt the 4 byte packet length field.  The second instance, keyed
   by K_2, is used in conjunction with poly1305 to build an AEAD
   (Authenticated Encryption with Associated Data) that is used to
   encrypt and authenticate the entire packet.

   Two separate cipher instances are used here so as to keep the packet
   lengths confidential but not create an oracle for the packet payload
   cipher by decrypting and using the packet length prior to checking
   the MAC.  By using an independently-keyed cipher instance to encrypt
   the length, an active attacker seeking to exploit the packet input
   handling as a decryption oracle can learn nothing about the payload
   contents or its MAC (assuming key derivation, ChaCha20 and Poly1305
   are secure).

   The AEAD is constructed as follows: for each packet, generate a
   Poly1305 key by taking the first 256 bits of ChaCha20 stream output
   generated using K_2, an IV consisting of the packet sequence number
   encoded as an uint64 under the SSH wire encoding rules and a ChaCha20
   block counter of zero.  The K_2 ChaCha20 block counter is then set to
   the little-endian encoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and
   this instance is used for encryption of the packet payload.

4.  Packet Handling

   When receiving a packet, the length must be decrypted first.  When 4
   bytes of ciphertext length have been received, they may be decrypted
   using the K_1 key, a nonce consisting of the packet sequence number
   encoded as a uint64 under the usual SSH wire encoding and a zero
   block counter to obtain the plaintext length.

   Once the entire packet has been received, the MAC MUST be checked
   before decryption.  A per-packet Poly1305 key is generated as
   described above and the MAC tag calculated using Poly1305 with this
   key over the ciphertext of the packet length and the payload
   together.  The calculated MAC is then compared in constant time with
   the one appended to the packet and the packet decrypted using
   ChaCha20 as described above (with K_2, the packet sequence number as
   nonce and a starting block counter of 1).

Miller & Josefsson      Expires 22 February 2025                [Page 3]
Internet-Draft            SSH chacha20-poly1305              August 2024

   To send a packet, first encode the 4 byte length and encrypt it using
   K_1.  Encrypt the packet payload (using K_2) and append it to the
   encrypted length.  Finally, calculate a MAC tag and append it.

5.  Rekeying

   ChaCha20 must never reuse a {key, nonce} for encryption nor may it be
   used to encrypt more than 2^70 bytes under the same {key, nonce}. The
   SSH Transport protocol [RFC4253] recommends a far more conservative
   rekeying every 1GB of data sent or received.  If this recommendation
   is followed, then "chacha20-poly1305" requires no special handling in
   this area.

6.  Acknowledgements

   Markus Friedl helped on the design.  Theo de Raadt supported to
   register the OpenSSH private-use cipher for generic use.

7.  IANA Considerations

   IANA is requested to add a new "Encryption Algorithm Name" of
   "chacha20-poly1305" the "Encryption Algorithm Names" registry for
   Secure Shell (SSH) Protocol Parameters [IANA-ENCALG] with a
   "Reference" field referring this RFC.

8.  References

8.1.  Normative References

   [RFC4253]  Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
              Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
              January 2006, <https://www.rfc-editor.org/info/rfc4253>.

   [IANA-ENCALG]
              IANA, "Secure Shell (SSH) Protocol Parameters: Encryption
              Algorithm Names",
              <https://www.iana.org/assignments/ssh-parameters/>.

8.2.  Informative References

   [I-D.agl-tls-chacha20poly1305]
              Langley, A. and W. Chang, "ChaCha20 and Poly1305 based
              Cipher Suites for TLS", Work in Progress, Internet-Draft,
              draft-agl-tls-chacha20poly1305-04, 22 November 2013,
              <https://datatracker.ietf.org/doc/html/draft-agl-tls-
              chacha20poly1305-04>.

Miller & Josefsson      Expires 22 February 2025                [Page 4]
Internet-Draft            SSH chacha20-poly1305              August 2024

   [ChaCha]   Bernstein, J., "ChaCha, a variant of Salsa20", January
              2008, <http://cr.yp.to/chacha/chacha-20080128.pdf>.

   [Poly1305] Bernstein, J., "The Poly1305-AES message-authentication
              code", March 2005,
              <http://cr.yp.to/mac/poly1305-20050329.pdf>.

Authors' Addresses

   Damien Miller
   OpenSSH
   Email: djm@mindrot.org

   Simon Josefsson
   SJD AB
   Email: simon@josefsson.org

Miller & Josefsson      Expires 22 February 2025                [Page 5]