Howto implement chacha20-poly1305?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Howto implement chacha20-poly1305?

Stef Bon
Hi,

I;m writing a fuse sftp client, and not making use of openssh (like
sshfs does). I'm writing all required procedures and functions to do
the negotiation and encryption myself, using libgcrypt.
This works already very good.
It basically uses simple encryption like 3des and blowfish and aes,
and mac like hmac-sha1 en hmac-sha256.

Now I want also support for newer algo's like chacha20-poly1305 and
poly1305-AES.

I'm asking cause I cannot find any documentation and the named algo's
are encryption and hmac combined, and this requires extra attention.

Thanks in advance,

Stef Bon
the Netherlands

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Dmitry Eremin-Solenikov
Hello,

2016-11-28 17:32 GMT+03:00 Stef Bon <[hidden email]>:
> I;m writing a fuse sftp client, and not making use of openssh (like
> sshfs does). I'm writing all required procedures and functions to do
> the negotiation and encryption myself, using libgcrypt.
> This works already very good.
> It basically uses simple encryption like 3des and blowfish and aes,
> and mac like hmac-sha1 en hmac-sha256.
>
> Now I want also support for newer algo's like chacha20-poly1305 and
> poly1305-AES.

Would gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20,
  GCRY_CIPHER_MODE_POLY1305, 0) work for you?

Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking
tag.

It is an AEAD cipher mode, so there is no separate encryption and separate
MAC.

--
With best wishes
Dmitry

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
2016-11-28 21:19 GMT+01:00 Dmitry Eremin-Solenikov <[hidden email]>:
> Hello,
>
> 2016-11-28 17:32 GMT+03:00 Stef Bon <[hidden email]>:
>> I;m writing a fuse sftp client, and not making use of openssh (like

>
> Would gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20,
>   GCRY_CIPHER_MODE_POLY1305, 0) work for you?
>
> Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking
> tag.
>
> It is an AEAD cipher mode, so there is no separate encryption and separate
> MAC.

Ah. Thanks a lot!

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
2016-11-28 22:01 GMT+01:00 Stef Bon <[hidden email]>:

>> Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking
>> tag.
>>
>> It is an AEAD cipher mode, so there is no separate encryption and separate
>> MAC.
>
> Ah. Thanks a lot!

Do I have to decrypt and encrypt in a special way as described here:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Jussi Kivilinna-2
Hello,

On 29.11.2016 00:23, Stef Bon wrote:

> 2016-11-28 22:01 GMT+01:00 Stef Bon <[hidden email]>:
>
>>> Then use gcry_cipher_gettag/gcry_cipher_checktag for retrieving/checking
>>> tag.
>>>
>>> It is an AEAD cipher mode, so there is no separate encryption and separate
>>> MAC.
>>
>> Ah. Thanks a lot!
>
> Do I have to decrypt and encrypt in a special way as described here:
>
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD

Unfortunately the AEAD cipher mode for "[hidden email]" is slightly different from chacha20-poly1305 AEAD described in RFC7539 which libgcrypt implements. Problem is that OpenSSH add chacha20-poly1305 support based on early draft-RFC and there was change to data padding later in the draft series.

So, to get "[hidden email]" AEAD, you'd need to use separate Chacha20 cipher and Poly1305 mac instances and implement AEAD mode manually.
 gcry_mac_open(... GCRY_MAC_POLY1305 ...)
 gcry_cipher_open(... GCRY_CIPHER_CHACHA20 ...)

-Jussi

>
> Stef
>
> _______________________________________________
> Gcrypt-devel mailing list
> [hidden email]
> http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
>


_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
2016-11-29 17:56 GMT+01:00 Jussi Kivilinna <[hidden email]>:
> Hello,
>

>
> Unfortunately the AEAD cipher mode for "[hidden email]" is slightly different from chacha20-poly1305 AEAD described in RFC7539 which libgcrypt implements. Problem is that OpenSSH add chacha20-poly1305 support based on early draft-RFC and there was change to data padding later in the draft series.
>
> So, to get "[hidden email]" AEAD, you'd need to use separate Chacha20 cipher and Poly1305 mac instances and implement AEAD mode manually.
>  gcry_mac_open(... GCRY_MAC_POLY1305 ...)
>  gcry_cipher_open(... GCRY_CIPHER_CHACHA20 ...)
>

Sigh and another sigh.
Thanks for the answer though, how do I implement AEAD mode manually? I
know I have to open the cipher using GCRY_CIPHER_CHACHA20, and open
the mac using GCRY_HMAC_POLY1305 (you write GCRY_MAC_... but you mean
GCRY_HMAC_... ?) but what then? I've read about the function
gcry_cipher_authenticate (and gcry_cipher_gettag and
gcry_cipher_checktag). Do I have to set the cipher in a special mode?
Maybe good to know I'm using the documentation which is based on
1.6.4, and chacha20 and poly1305 are added later.

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Werner Koch
In reply to this post by Jussi Kivilinna-2
On Tue, 29 Nov 2016 17:56, [hidden email] said:

> which libgcrypt implements. Problem is that OpenSSH add
> chacha20-poly1305 support based on early draft-RFC and there was
> change to data padding later in the draft series.

Given that OpenSSH is a cornerstone of our all infrastructure, what
about also adding the draft mode to libgcrypt 1.8?  Do we have someone
who could do that?


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

attachment0 (199 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Jussi Kivilinna-2
On 30.11.2016 17:25, Werner Koch wrote:

> On Tue, 29 Nov 2016 17:56, [hidden email] said:
>
>> which libgcrypt implements. Problem is that OpenSSH add
>> chacha20-poly1305 support based on early draft-RFC and there was
>> change to data padding later in the draft series.
>
> Given that OpenSSH is a cornerstone of our all infrastructure, what
> about also adding the draft mode to libgcrypt 1.8?  Do we have someone
> who could do that?
>

I was thinking of same too. I can do it. Draft mode selection would
happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT
or GCRY_CIPHER_POLY1305_OPENSSH.

-Jussi


_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
2016-11-30 20:53 GMT+01:00 Jussi Kivilinna <[hidden email]>:
>>
>> Given that OpenSSH is a cornerstone of our all infrastructure, what
>> about also adding the draft mode to libgcrypt 1.8?  Do we have someone
>> who could do that?
>
> I was thinking of same too. I can do it. Draft mode selection would
> happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT
> or GCRY_CIPHER_POLY1305_OPENSSH.

If you can do that that would be great!

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Werner Koch
In reply to this post by Jussi Kivilinna-2
On Wed, 30 Nov 2016 20:53, [hidden email] said:

> I was thinking of same too. I can do it. Draft mode selection would
> happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT
> or GCRY_CIPHER_POLY1305_OPENSSH.

Both make sense - maybe Openssh is the more descriptive one.  I don't
really care.

Stef: Can you help Jussi with testing?


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

attachment0 (199 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
2016-12-01 9:46 GMT+01:00 Werner Koch <[hidden email]>:

>
> Both make sense - maybe Openssh is the more descriptive one.  I don't
> really care.
>
> Stef: Can you help Jussi with testing?
>

Sure. I have to get the latest version via git on my system
(archlinux) for that. I will look first into this
how to do this without breaking dependencies or so.
Just let me know when things are ready to test.

Thanks again,

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Jussi Kivilinna-2
In reply to this post by Werner Koch
On 01.12.2016 10:46, Werner Koch wrote:
> On Wed, 30 Nov 2016 20:53, [hidden email] said:
>
>> I was thinking of same too. I can do it. Draft mode selection would
>> happen with new gcry_cipher_open flag, maybe GCRY_CIPHER_POLY1305_DRAFT
>> or GCRY_CIPHER_POLY1305_OPENSSH.
>
> Both make sense - maybe Openssh is the more descriptive one.  I don't
> really care.

This ended up being more complicated than I first thought. I looked in to implementation of [hidden email] in OpenSSH [1] and it clearly was not the 'draft' AEAD after all. Then I reread the spec [2] which says:
 'The construction used is based on that proposed for TLS by Adam Langley in ...,
  but differs in the layout of data passed to the MAC and in the addition of
  encyption of the packet lengths.'

So, it's different in somewhat complicated way with its 'encrypt AAD' which cannot be easily done with libgcrypt AEAD API. One way could be to handle AAD encryption with separate chacha20 cipher handle. But then one needs to use multiple handles to combine AEAD and encrypt AAD parts and might as well do the whole construction with two chacha20 handles and one poly1305 handle. Also, I could not find test-vectors for this mode.

>
> Stef: Can you help Jussi with testing?
>

I modified OpenSSH-7.3p1 to use libgcrypt (1.7) for '[hidden email]' to give you example implementation. Commit for this change can found here:
 https://github.com/jkivilin/openssh-portable/commit/dd4d06bb47cbbbe3607b9be30f17f1495adbeb12

Does this help you?

-Jussi

[1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/cipher-chachapoly.c?rev=1.8&content-type=text/x-cvsweb-markup
[2] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?rev=1.3&content-type=text/x-cvsweb-markup



_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

signature.asc (281 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
2016-12-04 11:03 GMT+01:00 Jussi Kivilinna <[hidden email]>:

>
> This ended up being more complicated than I first thought. I looked in to implementation of [hidden email] in OpenSSH [1] and it clearly was not the 'draft' AEAD after all. Then I reread the spec [2] which says:
>  'The construction used is based on that proposed for TLS by Adam Langley in ...,
>   but differs in the layout of data passed to the MAC and in the addition of
>   encyption of the packet lengths.'
>
> So, it's different in somewhat complicated way with its 'encrypt AAD' which cannot be easily done with libgcrypt AEAD API. One way could be to handle AAD encryption with separate chacha20 cipher handle. But then one needs to use multiple handles to combine AEAD and encrypt AAD parts and might as well do the whole construction with two chacha20 handles and one poly1305 handle. Also, I could not find test-vectors for this mode.
>
> I modified OpenSSH-7.3p1 to use libgcrypt (1.7) for '[hidden email]' to give you example implementation. Commit for this change can found here:
>  https://github.com/jkivilin/openssh-portable/commit/dd4d06bb47cbbbe3607b9be30f17f1495adbeb12
>
> Does this help you?
>

Great. I will look at this tomorrow. Report to you back when some result.

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
2016-12-04 13:29 GMT+01:00 Stef Bon <[hidden email]>:

>>
>> Does this help you?
>>
>

Well it takes longer for me to implement. My client software uses a
generic decrypt function which decrypts the incoming message and then
compares the mac.
It also is able to wait for additional chunks of data. The server
sometimes sends the data not in one, but in different parts.
It's complicated since [hidden email] does things different.

For example the mac is compared when the message is still encrypted,
while the "normal" order is first decrypt and then compare the mac.
(which is also described in
https://tools.ietf.org/html/rfc4253#section-6.4 )

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
Hi,

I still do not have the chacha20 cipher running.
When I look at it again, I get errors from the openssh server like:

sshd[13449]: padding error: need 60 block 8 mod 4 [preauth]
sshd[13449]: ssh_dispatch_run_fatal: Connection from 192.168.2.20 port
46440: message authentication code incorrect [preauth]

It looks like that the mac is constructed from the packet buffer minus
the first four bytes. Right now my software gets the mac from the
whole
packet buffer, which is also according to the rfc:
https://tools.ietf.org/html/rfc4253#section-6.4

I read on the PROTOCOL.chacha20poly1305:

"The second instance, keyed by K_2, is used in conjunction with
poly1305 to build an AEAD
(Authenticated Encryption with Associated Data) that is used to
encrypt and authenticate the entire packet."

Well not the entire packet obviously?
Do you know how to write and verify the mac? When writing the mac (or
aead) the data to read starts at packetbuffer or at packetbuffer + 4?
In the last case that explains the error from openssh: it's not good alligned.

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Howto implement chacha20-poly1305?

Stef Bon
Well I've got it working. It has been an allignment issue.

It looks to me that the code Jussi has written is correct.

I had to find out that the manner to determine padding has also
changed. The chacha20poly1305 has to two ciphers,
the data of the main cipher (starting at byte 4) has to be alligned,
which is --not-- documented at all.

If you want me to test the performance compared to other ciphers, let me know.

Stef

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Loading...