From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon May 2 09:00:10 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E675F12D582 for ; Mon, 2 May 2016 09:00:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.196 X-Spam-Level: X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gu4ChGAfjEjV for ; Mon, 2 May 2016 09:00:08 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAF3812D57E for ; Mon, 2 May 2016 09:00:08 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 6C04885EEE; Mon, 2 May 2016 16:00:07 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4FFE285E7C for ; Mon, 2 May 2016 16:00:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 9pvPyBJGjJLC for ; Mon, 2 May 2016 16:00:02 +0000 (UTC) Received: from newmailhub.uq.edu.au (mailhub2.soe.uq.edu.au [130.102.132.209]) by mail.netbsd.org (Postfix) with ESMTP id 5820C85E3C for ; Mon, 2 May 2016 16:00:02 +0000 (UTC) Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u42EluA0024196; Tue, 3 May 2016 00:47:57 +1000 Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u42EluT7032807 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 3 May 2016 00:47:56 +1000 Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u42EltpP029293 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Tue, 3 May 2016 00:47:56 +1000 (AEST) Received: by natsu.mindrot.org (Postfix, from userid 1000) id 9D305A4F32; Tue, 3 May 2016 00:47:55 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 96AC0A4F31; Tue, 3 May 2016 00:47:55 +1000 (AEST) Date: Tue, 3 May 2016 00:47:55 +1000 (AEST) From: Damien Miller To: =?ISO-8859-15?Q?Stefan_B=FChler?= cc: ietf-ssh@netbsd.org Subject: Re: ChaCha20-Poly1305 for SSH In-Reply-To: <20160420101838.5861b73d@chromobil-cert.local> Message-ID: References: <20160420101838.5861b73d@chromobil-cert.local> User-Agent: Alpine 2.20 (BSO 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="0-286732729-1462198420=:6962" Content-ID: X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58 X-UQ-FilterTime: 1462200478 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-286732729-1462198420=:6962 Content-Type: text/plain; CHARSET=ISO-8859-15 Content-Transfer-Encoding: 8BIT Content-ID: On Wed, 20 Apr 2016, Stefan Bühler wrote: > Hi, > > some time ago I tried implementing ssh-chacha20-poly1305@openssh on my > own and was rather disappointed by the state of the documentation in > openssh (in the end the source code told me what I needed to know). > > Seeing draft-josefsson-ssh-chacha20-poly1305-openssh-00 I hoped there > would be some improvement... but well, it is just a copy of the openssh > file :) It would be helpful if you said what in the documentation was insufficient so we can improve it. > So I started to work on it, and also read some of the following > discussion on ietf-ssh. > > A large part of the discussion spun off discussing a whish list for a > new binary packet protocol; changing the binary packet protocol probably > requires rewriting core logic in many SSH implementations, so this > should be done very carefully and not just for one cipher, and I somehow > doubt it will happen soon. It's already happened: chacha20-poly1305 is supported by several SSH implementations and uses a similar packet construction to RFC5647 AES-GCM (with the exception of encryting the packet length). There's also the -etm MACs in OpenSSH as Niels observes. > So I propose defining "chacha20-poly1305" as either the existing > "chacha20-poly1305@openssh.com" or as a slightly modified variant: > > - using AEAD_CHACHA20_POLY1305 from RFC7539 > - encrypt the packet length with otherwise discarded bytes from the > first Chacha20 block, i.e. only a single Chacha20 instance I chose to use an independently-keyed instance of chacha20 for length field encryption to be completely sure there could be no possible decryption oracle between them. This was a deliberately conservative choice that was fortunately cheap since chacha20 is so fast. > - pad the nonce to 12 bytes with zeroes on the left side, so one can > simply reuse the original Poly1305 implementation with a 8-byte nonce. > - openssh patch: > https://github.com/rus-cert/openssh-portable/tree/feature-chacha20-poly1305 I agree that if we are redoing the chacha20-poly1305 mode then it should match the parameter lengths used in other IETF protocols. > The "full" documents can be found here: > https://github.com/rus-cert/ssh-chacha20-poly1305-drafts > > It would be nice to get some feedback on whether there is interest in > getting "chacha20-poly1305" out before a protocol redesign and which > variant to go for. > > If there is no interest in getting an RFC for this maybe at least the > openssh devs are interested in fixing their documentation :) Like I said, it would be great if you let us know what in particular was deficient in the documentation so we can fix it. With regards to the future of the chacha20-poly1305, I'm hoping to interest a researcher in looking into length-hiding as a traffic-analysis countermeasure in the SSH protocol. The "Peek-a-boo" paper considers fingerprinting websites in the web attack model, which is very different to and in many ways more demanding than SSH's attack model. It would be good to have more definitive research that targets the SSH protocol and thread model passwords, keystroke timings, etc) and make a decision based on that. With that out of the way, and if it yields a recommendation to pursue length-hiding then it's probably worth revisiting the exact construction. E.g. your proposal to use the remaining bytes from the first block, but I wasn't aware of [1] when I designed this mode. -d [1] http://www.iacr.org/archive/eurocrypt2012/72370677/72370677.pdf --0-286732729-1462198420=:6962-- From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue May 3 02:18:28 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5119412D69A for ; Tue, 3 May 2016 02:18:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.296 X-Spam-Level: X-Spam-Status: No, score=-5.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnIxF0yk2Yt0 for ; Tue, 3 May 2016 02:18:26 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0516512D142 for ; Tue, 3 May 2016 02:18:26 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id C277A85E62; Tue, 3 May 2016 09:18:24 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D90D384CFD for ; Tue, 3 May 2016 09:18:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=stbuehler.de Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id dyHt9Le7idhp for ; Tue, 3 May 2016 09:18:19 +0000 (UTC) Received: from mail.stbuehler.de (stbuehler.de [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 7F83284CED for ; Tue, 3 May 2016 09:18:18 +0000 (UTC) Received: from chromobil-cert.local (unknown [IPv6:2001:7c0:2025:24d:faca:b8ff:fe3a:723]) by mail.stbuehler.de (Postfix) with ESMTPSA id 499DCB80458; Tue, 3 May 2016 09:18:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stbuehler.de; s=stbuehler1; t=1462267093; bh=rzM7ZXSguudwX3F2/SKLc0RDL78ez996PccFvKztoTg=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=3IeDXcuL8kQ2KcI6zYdiGSGKi6TuG/zmzHur2lbTznlm4MXMm47/R2Ggky1XpK/ou o0ZiJkfaRJNJD7LdY/la+wDQ02ovdXN2UYb5p82a+3rDMrdo+2TVh15YVNzRq4AH2W dp2GobFY0dFQ6chIxY/GbBUG8vHfPgD9egkZUfZQ= Date: Tue, 3 May 2016 11:18:10 +0200 From: Stefan =?UTF-8?B?QsO8aGxlcg==?= To: Damien Miller Cc: ietf-ssh@netbsd.org Subject: Re: ChaCha20-Poly1305 for SSH Message-ID: <20160503111810.096420bd@chromobil-cert.local> In-Reply-To: References: <20160420101838.5861b73d@chromobil-cert.local> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Hi Damien, On Tue, 3 May 2016 00:47:55 +1000 (AEST) Damien Miller wrote: > On Wed, 20 Apr 2016, Stefan B=C3=BChler wrote: >=20 > > Hi, > >=20 > > some time ago I tried implementing ssh-chacha20-poly1305@openssh on > > my own and was rather disappointed by the state of the > > documentation in openssh (in the end the source code told me what I > > needed to know). > >=20 > > Seeing draft-josefsson-ssh-chacha20-poly1305-openssh-00 I hoped > > there would be some improvement... but well, it is just a copy of > > the openssh file :) =20 >=20 > It would be helpful if you said what in the documentation was > insufficient so we can improve it. Fair enough: - "This forms two 256 bit keys (K_1 and K_2), used by two separate instances of chacha20.", and then K_1 is used to encrypt the length. But the keys are actually `K_2 || K_1` ! - There is no reference to EtM-modes and how they handle padding. - By saying "no MAC is required" one might think that the MAC length is zero and Poly1305 tag is somehow part of the packet content, and that the length of it needs to be reflected in the length field. But the MAC length is actually 16 bytes. I also feel the document is not structured very well, and a lot of things could be said more explicitly. But now I'm also curious: do you actually consider the document good enough to be published as RFC? > > So I started to work on it, and also read some of the following > > discussion on ietf-ssh. > >=20 > > A large part of the discussion spun off discussing a whish list for > > a new binary packet protocol; changing the binary packet protocol > > probably requires rewriting core logic in many SSH implementations, > > so this should be done very carefully and not just for one cipher, > > and I somehow doubt it will happen soon. =20 >=20 > It's already happened: chacha20-poly1305 is supported by several > SSH implementations and uses a similar packet construction to > RFC5647 AES-GCM (with the exception of encryting the packet length). > There's also the -etm MACs in OpenSSH as Niels observes. I can't find it on http://ssh-comparison.quendi.de/comparison/cipher.html, and I hope it isn't actually named "chacha20-poly1305" without being listed in the IANA registry. Can you give me any pointers? Which Chacha20 nonce size does it use? Does it actually use "invocation counters" instead of the sequence counter? Does it use an IV as fixed part of the nonce, or just zero bytes? > > So I propose defining "chacha20-poly1305" as either the existing > > "chacha20-poly1305@openssh.com" or as a slightly modified variant: > >=20 > > - using AEAD_CHACHA20_POLY1305 from RFC7539 > > - encrypt the packet length with otherwise discarded bytes from the > > first Chacha20 block, i.e. only a single Chacha20 instance =20 >=20 > I chose to use an independently-keyed instance of chacha20 for > length field encryption to be completely sure there could be > no possible decryption oracle between them. This was a deliberately > conservative choice that was fortunately cheap since chacha20 is so > fast. I have no real preference here, I just found it could be a nice option (I think Niels M=C3=B6ller presented it on the mailing list). > > - pad the nonce to 12 bytes with zeroes on the left side, so one can > > simply reuse the original Poly1305 implementation with a 8-byte > > nonce. > > - openssh patch: > > https://github.com/rus-cert/openssh-portable/tree/feature-chacha20-po= ly1305 =20 >=20 > I agree that if we are redoing the chacha20-poly1305 mode then it > should match the parameter lengths used in other IETF protocols. So the question is (again) whether we should do it or not. > [...] >=20 > With regards to the future of the chacha20-poly1305, I'm hoping > to interest a researcher in looking into length-hiding as a > traffic-analysis countermeasure in the SSH protocol. The "Peek-a-boo" > paper considers fingerprinting websites in the web attack model, which > is very different to and in many ways more demanding than SSH's attack > model. It would be good to have more definitive research that targets > the SSH protocol and thread model passwords, keystroke timings, etc) > and make a decision based on that. >=20 > With that out of the way, and if it yields a recommendation to > pursue length-hiding then it's probably worth revisiting the exact > construction. E.g. your proposal to use the remaining bytes from > the first block, but I wasn't aware of [1] when I designed this mode. I probably have to do some reading to even understand what this is about :) But I don't think this should be considered only for chacha20-poly1305 but for generic AEAD usage (if possible). - Stefan From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue May 3 05:14:15 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ADE912D7A3 for ; Tue, 3 May 2016 05:14:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.086 X-Spam-Level: X-Spam-Status: No, score=-5.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=dtucker-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9IZdOM27HJ-u for ; Tue, 3 May 2016 05:14:13 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E376012D7A2 for ; Tue, 3 May 2016 05:14:06 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 9413485EA7; Tue, 3 May 2016 12:14:05 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0285085E94 for ; Tue, 3 May 2016 12:14:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=dtucker-net.20150623.gappssmtp.com Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id isPW7yz2qnxR for ; Tue, 3 May 2016 12:14:03 +0000 (UTC) Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4711685E8B for ; Tue, 3 May 2016 12:14:03 +0000 (UTC) Received: by mail-qk0-x236.google.com with SMTP id r184so7579276qkc.1 for ; Tue, 03 May 2016 05:14:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dtucker-net.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=7aQ0Ex83ZtV9MI0DBEnGHiBi4ejz6TEltjTafue9920=; b=t8d5K+N2AAhdvmTNCHmbHfVk40Zy07svG6+V1P8PKuiizEy/KUIthTTy1S5yS1UZSh Zu6WpQLDyjI7O0PEBkcOR520yTEQAcmx5OfL6mwCQBBbni3WfF+Asz1im9AaalCoUpz5 4aaJyaNVgDLciL2iEyqfV1T/cH3He64Jxvw4C9uEsOsjp2r48ZZ2vs/T5cgRaWMKTNSl dS5yyy2LEwIPG7ueh1ZxZmRTjqrVRYgmjMJ/rTqp/ObTkayIC210xcIslAlmVuVTeDrK Q+fwKOuFqhLiHSYy9KQlfNe58+12kqkhUfrdkvEHFg2ryvqAETAcoGJda7PQFevrZduu mFOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=7aQ0Ex83ZtV9MI0DBEnGHiBi4ejz6TEltjTafue9920=; b=LL2hvzMBazbJFeHwiNhfc1Xtp78WJLaDXWR/lrEF2q8gEU731BXl9zYrvMGrfnwgW7 lb6owuA44IJSrkCklGHllwcJgWyGi2KMKn+Jm8XNvgO0mRadUckqkSselJVeow4hBSTo MyDc/lehelpczHIYMgjxab+3mEwls77k9Rf5Xo3KJLyJd9Z9STKaoboRnqllKDsELGRp dHm4FWeS6EA2u1XEd4x4ON3nLYDGeFehBQyd9Q7zn6VX6LALARxNFeQhGelcDDfGVH5t 3Bft6uk3SI+9E/QCG8y3x+cfBXEvgc+5CVw+7TGYAhVhU2UgxNDM5ZWiT7YFfITeWgw+ AnNQ== X-Gm-Message-State: AOPr4FU6lpYLsnl/CCnpm14DROWjVhAQnWVG4oeulWcXuxtQsJedLJnTSsq1TewNXT+kL7I1wbuxcYB8FEUgPw== X-Received: by 10.55.79.207 with SMTP id d198mr2049308qkb.49.1462277642166; Tue, 03 May 2016 05:14:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.176.65 with HTTP; Tue, 3 May 2016 05:13:42 -0700 (PDT) In-Reply-To: References: <20130329125734.GA24915@achernar.madore.org> <201303291331.JAA24710@Sparkle.Rodents-Montreal.ORG> <20130329173208.GA27197@achernar.madore.org> From: Darren Tucker Date: Tue, 3 May 2016 14:13:42 +0200 X-Google-Sender-Auth: QYYiogqMYyKIY5-lqwg9OzqGOY8 Message-ID: Subject: Re: adding IUTF8 to encoded terminal modes in SSH Protocol Assigned Numbers To: Chris Lonvick Cc: David Madore , Mouse , "ietf-ssh@NetBSD.org" Content-Type: text/plain; charset=UTF-8 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list On Fri, Mar 29, 2013 at 7:47 PM, Chris Lonvick wrote: [...] > Once you have published this as an Internet Draft, bring the discussion back > to this group. Hi. Simon Tatham has written such a draft: http://www.ietf.org/id/draft-sgtatham-secsh-iutf8-00.txt and it is currently implemented it in (and interop tested with) the development branches of PuTTY and OpenSSH. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue May 3 07:20:18 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A6812D81D for ; Tue, 3 May 2016 07:20:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.196 X-Spam-Level: X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQPJgWjN-ymh for ; Tue, 3 May 2016 07:20:16 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6548512D818 for ; Tue, 3 May 2016 07:20:16 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 095D085E7F; Tue, 3 May 2016 14:20:16 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 25B8D85E47 for ; Tue, 3 May 2016 14:20:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 9kaO_u72z8t0 for ; Tue, 3 May 2016 14:20:11 +0000 (UTC) Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id 0D0DF84CED for ; Tue, 3 May 2016 14:20:10 +0000 (UTC) Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u43DAaSw045415; Tue, 3 May 2016 23:10:36 +1000 Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u43DAZ76033533 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 3 May 2016 23:10:36 +1000 Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u43DAZae005863 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Tue, 3 May 2016 23:10:35 +1000 (AEST) Received: by natsu.mindrot.org (Postfix, from userid 1000) id 50BEEA4F33; Tue, 3 May 2016 23:10:35 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 50073A4F32; Tue, 3 May 2016 23:10:35 +1000 (AEST) Date: Tue, 3 May 2016 23:10:35 +1000 (AEST) From: Damien Miller To: =?ISO-8859-15?Q?Stefan_B=FChler?= cc: ietf-ssh@netbsd.org Subject: Re: ChaCha20-Poly1305 for SSH In-Reply-To: <20160503111810.096420bd@chromobil-cert.local> Message-ID: References: <20160420101838.5861b73d@chromobil-cert.local> <20160503111810.096420bd@chromobil-cert.local> User-Agent: Alpine 2.20 (BSO 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="26225070309376-1765907108-1462281035=:2151" X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58 X-UQ-FilterTime: 1462281036 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --26225070309376-1765907108-1462281035=:2151 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT On Tue, 3 May 2016, Stefan Bühler wrote: > On Tue, 3 May 2016 00:47:55 +1000 (AEST) > Damien Miller wrote: > > > It would be helpful if you said what in the documentation was > > insufficient so we can improve it. > > Fair enough: > - "This forms two 256 bit keys (K_1 and K_2), used by two separate > instances of chacha20.", and then K_1 is used to encrypt the length. > But the keys are actually `K_2 || K_1` ! Thanks, I'll add a note to clarify. > - There is no reference to EtM-modes and how they handle padding. Why should there be? EtM is completely separate. > - By saying "no MAC is required" one might think that the MAC length is > zero and Poly1305 tag is somehow part of the packet content, and that > the length of it needs to be reflected in the length field. > But the MAC length is actually 16 bytes. But the document doesn't say this. It says, in a section that describes the KEX negotiation, "no MAC is required to be negotiated". IMO that's quite clear from context. Perhaps you're referring to the "no separate MAC is required" statement in the same paragraph. This immediately follows a sentence that describes the AEAD as including authentication. IMO the context is clear here too. The rest of the document discusses at length how the in-AEAD MAC is derived and should be checked so nobody who read the whole thing could (again IMO) come away with the impression that the protocol includes no MAC or that it isn't included in the packet. > I also feel the document is not structured very well, and a lot of > things could be said more explicitly. Such as? I'm happy to act on specific suggestions. Vague statements of displeasure aren't really actionably though. > But now I'm also curious: do you actually consider the document good > enough to be published as RFC? I'd consider it good enough to publish as an I-D, but I don't intend to for the reasons I've already outlined. > > > So I started to work on it, and also read some of the following > > > discussion on ietf-ssh. > > > > > > A large part of the discussion spun off discussing a whish list for > > > a new binary packet protocol; changing the binary packet protocol > > > probably requires rewriting core logic in many SSH implementations, > > > so this should be done very carefully and not just for one cipher, > > > and I somehow doubt it will happen soon. > > > > It's already happened: chacha20-poly1305 is supported by several > > SSH implementations and uses a similar packet construction to > > RFC5647 AES-GCM (with the exception of encryting the packet length). > > There's also the -etm MACs in OpenSSH as Niels observes. > > I can't find it on > http://ssh-comparison.quendi.de/comparison/cipher.html, and I hope it > isn't actually named "chacha20-poly1305" without being listed in the > IANA registry. Can you give me any pointers? http://ssh-comparison.quendi.de/comparison/cipher.html search for chacha20-poly1305, scroll right. -d --26225070309376-1765907108-1462281035=:2151-- From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue May 3 22:49:49 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CF9F12D17D for ; Tue, 3 May 2016 22:49:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.296 X-Spam-Level: X-Spam-Status: No, score=-5.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=madore.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jcxsJEo5R9C for ; Tue, 3 May 2016 22:49:47 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F2EA12D14D for ; Tue, 3 May 2016 22:49:47 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 45A6285E5C; Wed, 4 May 2016 05:49:46 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id F1B8884CEA; Wed, 4 May 2016 05:49:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 270DB85E7F for ; Tue, 3 May 2016 12:24:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=madore.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id tn9X4faS8PBq for ; Tue, 3 May 2016 12:24:49 +0000 (UTC) Received: from achernar.gro-tsen.net (achernar6.gro-tsen.net [IPv6:2001:bc8:30e8::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 4253E84CEA for ; Tue, 3 May 2016 12:24:48 +0000 (UTC) Received: by achernar.gro-tsen.net (Postfix, from userid 500) id E7A1E240160; Tue, 3 May 2016 14:24:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=madore.org; s=achernar; t=1462278285; bh=E/KwagpG+00MEbib2spqpmF7mPe1dmEg8H9fUUoh+hk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=RsfevgOCWQSScuIYmIfDFFXtAJotcl3BWPz+tEs9a6LR++h2xZa0EJPBHqCdSeD+R h0EGqjq8vY8GqgXBJON+kq5p79o/ee9gU0BbVyk8p7VPN0vcT6kEtC5aAPgj4/Pyyo /SN1nga5xizXIzgjUw5AQQ9IQ5q3nWXFGZGTnQao= Date: Tue, 3 May 2016 14:24:45 +0200 From: David Madore To: Darren Tucker Cc: Chris Lonvick , Mouse , "ietf-ssh@NetBSD.org" Subject: Re: adding IUTF8 to encoded terminal modes in SSH Protocol Assigned Numbers Message-ID: <20160503122445.GA15802@achernar.madore.org> References: <20130329125734.GA24915@achernar.madore.org> <201303291331.JAA24710@Sparkle.Rodents-Montreal.ORG> <20130329173208.GA27197@achernar.madore.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list On Tue, May 03, 2016 at 02:13:42PM +0200, Darren Tucker wrote: > Hi. Simon Tatham has written such a draft: > http://www.ietf.org/id/draft-sgtatham-secsh-iutf8-00.txt > > and it is currently implemented it in (and interop tested with) the > development branches of PuTTY and OpenSSH. Oh great! Sign one up for the good old "if you procrastinate enough on doing something, maybe someone else will do it for you". :-) -- David A. Madore ( http://www.madore.org/~david/ ) From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue May 3 22:50:18 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19EC412D14D for ; Tue, 3 May 2016 22:50:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.196 X-Spam-Level: X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3dt9outBTAn for ; Tue, 3 May 2016 22:50:16 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6768412D170 for ; Tue, 3 May 2016 22:50:16 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id CF79D85E74; Wed, 4 May 2016 05:50:15 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id 8AF6B85E73; Wed, 4 May 2016 05:50:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 3755C85E47 for ; Tue, 3 May 2016 13:17:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id Cn5rHKLpN-Hv for ; Tue, 3 May 2016 13:17:14 +0000 (UTC) Received: from Stone.Rodents-Montreal.ORG (Stone.Rodents-Montreal.ORG [98.124.61.89]) by mail.netbsd.org (Postfix) with ESMTP id 4B75484C85 for ; Tue, 3 May 2016 13:17:14 +0000 (UTC) Received: (from mouse@localhost) by Stone.Rodents-Montreal.ORG (8.8.8/8.8.8) id JAA13908; Tue, 3 May 2016 09:17:13 -0400 (EDT) Date: Tue, 3 May 2016 09:17:13 -0400 (EDT) From: Mouse Message-Id: <201605031317.JAA13908@Stone.Rodents-Montreal.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway. X-Message-Flag: Microsoft: the company who gave us the botnet zombies. X-Composition-Start-Date: Tue, 3 May 2016 09:07:46 -0400 (EDT) To: ietf-ssh@netbsd.org Cc: David Madore , Darren Tucker , Chris Lonvick Subject: Re: adding IUTF8 to encoded terminal modes in SSH Protocol Assigned Numbers In-Reply-To: <20160503122445.GA15802@achernar.madore.org> References: <20130329125734.GA24915@achernar.madore.org> <201303291331.JAA24710@Sparkle.Rodents-Montreal.ORG> <20130329173208.GA27197@achernar.madore.org> <20160503122445.GA15802@achernar.madore.org> Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list >> Hi. Simon Tatham has written such a draft: >> http://www.ietf.org/id/draft-sgtatham-secsh-iutf8-00.txt >> and it is currently implemented it in (and interop tested with) the >> development branches of PuTTY and OpenSSH. > Oh great! Sign one up for the good old "if you procrastinate enough > on doing something, maybe someone else will do it for you". :-) moussh has supported it via missing-pty-modes@rodents.montreal.qc.ca since 2013-02-05 and has had (on a branch) what the draft describes since 2013-03-29. (Well, I think it has. I have no systems supporting IUTF8, so it's difficult for me to test either of those.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue May 24 00:29:17 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8037112D5FD for ; Tue, 24 May 2016 00:29:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.626 X-Spam-Level: X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id huGmk-8BruGO for ; Tue, 24 May 2016 00:29:15 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0AA012D8E1 for ; Tue, 24 May 2016 00:29:15 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 3702B85E9C; Tue, 24 May 2016 07:29:13 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A0A7085E6B for ; Tue, 24 May 2016 07:29:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id rW5MTwLGbDhH for ; Tue, 24 May 2016 07:29:11 +0000 (UTC) Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id C498585E62 for ; Tue, 24 May 2016 07:29:08 +0000 (UTC) Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u4O7T697032519 for ; Tue, 24 May 2016 17:29:07 +1000 Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u4O7T66C022087 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 24 May 2016 17:29:06 +1000 Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u4O7T666011617 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO) for ; Tue, 24 May 2016 17:29:06 +1000 (AEST) Received: by natsu.mindrot.org (Postfix, from userid 1000) id 30B99A4F32; Tue, 24 May 2016 17:29:06 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 2BB5BA4F31 for ; Tue, 24 May 2016 17:29:06 +1000 (AEST) Date: Tue, 24 May 2016 17:29:06 +1000 (AEST) From: Damien Miller To: ietf-ssh@netbsd.org Subject: Specification for agent protocol Message-ID: User-Agent: Alpine 2.20 (BSO 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17 X-UQ-FilterTime: 1464074947 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Hi, A few people have asked over the years for a proper specification of the agent protocol that most SSH implementations support. I've maintained the PROTOCOL.agent file[1] in the OpenSSH source distribution as a half-assed standard for some time, but I think that the protocol is widely used enough to warrant an actual RFC. So I've converted the half-assed documentation into something a little bit more formal and published it as an I-D at https://tools.ietf.org/html/draft-miller-ssh-agent-00 This is pretty much exactly the protocol as OpenSSH implements it. The main changes from PROTOCOL.agent (for those who are familiar with it) are removal of SSH v.1 bits and adding a couple of backwards-compatible extension mechanisms to support user@domain.org-style extensibility. I'd welcome any feedback and/or assistance in getting it completed and published. Thanks to Simon Tatham for reviewing an earlier version. -d [1] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.agent