136e94dc5SPeter AvalosThis document describes the chacha20-poly1305@openssh.com authenticated 236e94dc5SPeter Avalosencryption cipher supported by OpenSSH. 336e94dc5SPeter Avalos 436e94dc5SPeter AvalosBackground 536e94dc5SPeter Avalos---------- 636e94dc5SPeter Avalos 736e94dc5SPeter AvalosChaCha20 is a stream cipher designed by Daniel Bernstein and described 836e94dc5SPeter Avalosin [1]. It operates by permuting 128 fixed bits, 128 or 256 bits of key, 936e94dc5SPeter Avalosa 64 bit nonce and a 64 bit counter into 64 bytes of output. This output 1036e94dc5SPeter Avalosis used as a keystream, with any unused bytes simply discarded. 1136e94dc5SPeter Avalos 1236e94dc5SPeter AvalosPoly1305[2], also by Daniel Bernstein, is a one-time Carter-Wegman MAC 1336e94dc5SPeter Avalosthat computes a 128 bit integrity tag given a message and a single-use 1436e94dc5SPeter Avalos256 bit secret key. 1536e94dc5SPeter Avalos 1636e94dc5SPeter AvalosThe chacha20-poly1305@openssh.com combines these two primitives into an 1736e94dc5SPeter Avalosauthenticated encryption mode. The construction used is based on that 1836e94dc5SPeter Avalosproposed for TLS by Adam Langley in [3], but differs in the layout of 19664f4763Szrjdata passed to the MAC and in the addition of encryption of the packet 2036e94dc5SPeter Avaloslengths. 2136e94dc5SPeter Avalos 2236e94dc5SPeter AvalosNegotiation 2336e94dc5SPeter Avalos----------- 2436e94dc5SPeter Avalos 2536e94dc5SPeter AvalosThe chacha20-poly1305@openssh.com offers both encryption and 2636e94dc5SPeter Avalosauthentication. As such, no separate MAC is required. If the 2736e94dc5SPeter Avaloschacha20-poly1305@openssh.com cipher is selected in key exchange, 2836e94dc5SPeter Avalosthe offered MAC algorithms are ignored and no MAC is required to be 2936e94dc5SPeter Avalosnegotiated. 3036e94dc5SPeter Avalos 3136e94dc5SPeter AvalosDetailed Construction 3236e94dc5SPeter Avalos--------------------- 3336e94dc5SPeter Avalos 3436e94dc5SPeter AvalosThe chacha20-poly1305@openssh.com cipher requires 512 bits of key 3536e94dc5SPeter Avalosmaterial as output from the SSH key exchange. This forms two 256 bit 3636e94dc5SPeter Avaloskeys (K_1 and K_2), used by two separate instances of chacha20. 37*0cbfa66cSDaniel FojtThe first 256 bits constitute K_2 and the second 256 bits become 38e9778795SPeter AvalosK_1. 3936e94dc5SPeter Avalos 4036e94dc5SPeter AvalosThe instance keyed by K_1 is a stream cipher that is used only 4136e94dc5SPeter Avalosto encrypt the 4 byte packet length field. The second instance, 4236e94dc5SPeter Avaloskeyed by K_2, is used in conjunction with poly1305 to build an AEAD 4336e94dc5SPeter Avalos(Authenticated Encryption with Associated Data) that is used to encrypt 4436e94dc5SPeter Avalosand authenticate the entire packet. 4536e94dc5SPeter Avalos 4636e94dc5SPeter AvalosTwo separate cipher instances are used here so as to keep the packet 4736e94dc5SPeter Avaloslengths confidential but not create an oracle for the packet payload 4836e94dc5SPeter Avaloscipher by decrypting and using the packet length prior to checking 4936e94dc5SPeter Avalosthe MAC. By using an independently-keyed cipher instance to encrypt the 5036e94dc5SPeter Avaloslength, an active attacker seeking to exploit the packet input handling 5136e94dc5SPeter Avalosas a decryption oracle can learn nothing about the payload contents or 5236e94dc5SPeter Avalosits MAC (assuming key derivation, ChaCha20 and Poly1305 are secure). 5336e94dc5SPeter Avalos 5436e94dc5SPeter AvalosThe AEAD is constructed as follows: for each packet, generate a Poly1305 5536e94dc5SPeter Avaloskey by taking the first 256 bits of ChaCha20 stream output generated 5636e94dc5SPeter Avalosusing K_2, an IV consisting of the packet sequence number encoded as an 5736e94dc5SPeter Avalosuint64 under the SSH wire encoding rules and a ChaCha20 block counter of 5836e94dc5SPeter Avaloszero. The K_2 ChaCha20 block counter is then set to the little-endian 5936e94dc5SPeter Avalosencoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and this instance is used 6036e94dc5SPeter Avalosfor encryption of the packet payload. 6136e94dc5SPeter Avalos 6236e94dc5SPeter AvalosPacket Handling 6336e94dc5SPeter Avalos--------------- 6436e94dc5SPeter Avalos 6536e94dc5SPeter AvalosWhen receiving a packet, the length must be decrypted first. When 4 6636e94dc5SPeter Avalosbytes of ciphertext length have been received, they may be decrypted 6736e94dc5SPeter Avalosusing the K_1 key, a nonce consisting of the packet sequence number 6836e94dc5SPeter Avalosencoded as a uint64 under the usual SSH wire encoding and a zero block 6936e94dc5SPeter Avaloscounter to obtain the plaintext length. 7036e94dc5SPeter Avalos 7136e94dc5SPeter AvalosOnce the entire packet has been received, the MAC MUST be checked 7236e94dc5SPeter Avalosbefore decryption. A per-packet Poly1305 key is generated as described 7336e94dc5SPeter Avalosabove and the MAC tag calculated using Poly1305 with this key over the 7436e94dc5SPeter Avalosciphertext of the packet length and the payload together. The calculated 7536e94dc5SPeter AvalosMAC is then compared in constant time with the one appended to the 7636e94dc5SPeter Avalospacket and the packet decrypted using ChaCha20 as described above (with 7736e94dc5SPeter AvalosK_2, the packet sequence number as nonce and a starting block counter of 7836e94dc5SPeter Avalos1). 7936e94dc5SPeter Avalos 8036e94dc5SPeter AvalosTo send a packet, first encode the 4 byte length and encrypt it using 8136e94dc5SPeter AvalosK_1. Encrypt the packet payload (using K_2) and append it to the 8236e94dc5SPeter Avalosencrypted length. Finally, calculate a MAC tag and append it. 8336e94dc5SPeter Avalos 8436e94dc5SPeter AvalosRekeying 8536e94dc5SPeter Avalos-------- 8636e94dc5SPeter Avalos 8736e94dc5SPeter AvalosChaCha20 must never reuse a {key, nonce} for encryption nor may it be 8836e94dc5SPeter Avalosused to encrypt more than 2^70 bytes under the same {key, nonce}. The 8936e94dc5SPeter AvalosSSH Transport protocol (RFC4253) recommends a far more conservative 9036e94dc5SPeter Avalosrekeying every 1GB of data sent or received. If this recommendation 9136e94dc5SPeter Avalosis followed, then chacha20-poly1305@openssh.com requires no special 9236e94dc5SPeter Avaloshandling in this area. 9336e94dc5SPeter Avalos 9436e94dc5SPeter AvalosReferences 9536e94dc5SPeter Avalos---------- 9636e94dc5SPeter Avalos 9736e94dc5SPeter Avalos[1] "ChaCha, a variant of Salsa20", Daniel Bernstein 9836e94dc5SPeter Avalos http://cr.yp.to/chacha/chacha-20080128.pdf 9936e94dc5SPeter Avalos 10036e94dc5SPeter Avalos[2] "The Poly1305-AES message-authentication code", Daniel Bernstein 10136e94dc5SPeter Avalos http://cr.yp.to/mac/poly1305-20050329.pdf 10236e94dc5SPeter Avalos 10336e94dc5SPeter Avalos[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley 10436e94dc5SPeter Avalos http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 10536e94dc5SPeter Avalos 106*0cbfa66cSDaniel Fojt$OpenBSD: PROTOCOL.chacha20poly1305,v 1.5 2020/02/21 00:04:43 dtucker Exp $ 10736e94dc5SPeter Avalos 108