PROTOCOL.chacha20poly1305 - OpenGrok cross reference for /freebsd/crypto/openssh/PROTOCOL.chacha20poly1305

Lines Matching +full:packet +full:- +full:based
1 This document describes the chacha20-poly1305@openssh.com authenticated
5 ----------
12 Poly1305[2], also by Daniel Bernstein, is a one-time Carter-Wegman MAC
13 that computes a 128 bit integrity tag given a message and a single-use
16 The chacha20-poly1305@openssh.com combines these two primitives into an
17 authenticated encryption mode. The construction used is based on that
19 data passed to the MAC and in the addition of encryption of the packet
23 -----------
25 The chacha20-poly1305@openssh.com offers both encryption and
27 chacha20-poly1305@openssh.com cipher is selected in key exchange,
32 ---------------------
34 The chacha20-poly1305@openssh.com cipher requires 512 bits of key
41 to encrypt the 4 byte packet length field. The second instance,
44 and authenticate the entire packet.
46 Two separate cipher instances are used here so as to keep the packet
47 lengths confidential but not create an oracle for the packet payload
48 cipher by decrypting and using the packet length prior to checking
49 the MAC. By using an independently-keyed cipher instance to encrypt the
50 length, an active attacker seeking to exploit the packet input handling
54 The AEAD is constructed as follows: for each packet, generate a Poly1305
56 using K_2, an IV consisting of the packet sequence number encoded as an
58 zero. The K_2 ChaCha20 block counter is then set to the little-endian
60 for encryption of the packet payload.
62 Packet Handling
63 ---------------
65 When receiving a packet, the length must be decrypted first. When 4
67 using the K_1 key, a nonce consisting of the packet sequence number
71 Once the entire packet has been received, the MAC MUST be checked
72 before decryption. A per-packet Poly1305 key is generated as described
74 ciphertext of the packet length and the payload together. The calculated
76 packet and the packet decrypted using ChaCha20 as described above (with
77 K_2, the packet sequence number as nonce and a starting block counter of
80 To send a packet, first encode the 4 byte length and encrypt it using
81 K_1. Encrypt the packet payload (using K_2) and append it to the
85 --------
91 is followed, then chacha20-poly1305@openssh.com requires no special
95 ----------
98     http://cr.yp.to/chacha/chacha-20080128.pdf
100 [2] "The Poly1305-AES message-authentication code", Daniel Bernstein
101     http://cr.yp.to/mac/poly1305-20050329.pdf
103 [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
104     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03