search for: chacha20

I'm wondering why the ChaCha20 cipher rekeys so frequently. At speed I'm seeing rekeys every second or two. So I'm spending a large amount of time in the rekey process. From what I've read about ChaCha20 it shouldn't need to be rekeyed quite so frequently. Am I missing something obvious? Just curious more th...

https://bugzilla.mindrot.org/show_bug.cgi?id=2972 Bug ID: 2972 Summary: Add build-time option to use OpenSSL for ChaCha20-Poly1305 Product: Portable OpenSSH Version: 7.9p1 Hardware: ARM OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Rep...

I was wondering if there was something specific to the internal chacha20 cipher as opposed to OpenSSL implementation. I can't just change the block size because it breaks compatibility. I can do something like as a hack (though it would probably be better to do it with the compat function): if (strstr(enc->name, "chacha")) *max_blocks = (...

On some cpu's optimized chacha implementation in openssl (1.1.0+) is notably faster (and on others it is just faster) than generic C implementation in openssh. Sadly, openssl's chacha20-poly1305 (EVP_chacha20_poly1305) uses different scheme (with padding/etc - see rfc8439) and it looks it is not possible to use in openssh. OpenSSL 1.1.1+ also exports "raw" poly1305 primitive, but I have not tried it yet (it was not in 1.1.0). Trivial benchmark: time ssh -c chacha20-pol...

https://bugzilla.mindrot.org/show_bug.cgi?id=3194 Bug ID: 3194 Summary: Please consider lowering chacha20-poly1305 at openssh.com cipher priority on AES-NI capable CPU Product: Portable OpenSSH Version: 8.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Mis...

That's true for block ciphers, but ChaCha20+poly1305 is a stream cipher. On Wed, 29 Mar 2023, Robinson, Herbie wrote: > > I?m hardly an expert on this, but if I remember correctly, the rekey rate > for good security is mostly dependent on the cipher block size.? I left my > reference books at home; so, I can?t come up with a r...

...m: Damien Miller <djm at mindrot.org> Sent: Wednesday, March 29, 2023 3:08 PM To: Robinson, Herbie <Herbie.Robinson at stratus.com> Cc: Chris Rapier <rapier at psc.edu>; Christian Weisgerber <naddy at mips.inka.de>; openssh-unix-dev at mindrot.org Subject: RE: [EXTERNAL] Re: ChaCha20 Rekey Frequency [EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.] That's true for block ciphers, but ChaCha20+poly1305 is a stream cipher. On Wed, 29 Mar 2023, Ro...

...v <openssh-unix-dev-bounces+herbie.robinson=stratus.com at mindrot.org> On Behalf Of Damien Miller Sent: Wednesday, March 29, 2023 2:38 PM To: Chris Rapier <rapier at psc.edu> Cc: Christian Weisgerber <naddy at mips.inka.de>; openssh-unix-dev at mindrot.org Subject: [EXTERNAL] Re: ChaCha20 Rekey Frequency [EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.] On Wed, 29 Mar 2023, Chris Rapier wrote: > I was wondering if there was something specific to the...

https://bugzilla.mindrot.org/show_bug.cgi?id=2177 Bug ID: 2177 Summary: wrong sizeof() parameter following chacha20 commit Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: loganaden...

On Wed, 29 Mar 2023, Chris Rapier wrote: > I was wondering if there was something specific to the internal chacha20 > cipher as opposed to OpenSSL implementation. > > I can't just change the block size because it breaks compatibility. I can do > something like as a hack (though it would probably be better to do it with the > compat function): > > if (strstr(enc->name, "chacha&...

...On Thu, 17 Jan 2019, Yuriy M. Kaminskiy wrote: > > > On some cpu's optimized chacha implementation in openssl (1.1.0+) > > is > > notably faster (and on others it is just faster) than generic C > > implementation in openssh. > > > > Sadly, openssl's chacha20-poly1305 (EVP_chacha20_poly1305) uses > > different scheme (with padding/etc - see rfc8439) and it looks it > > is not > > possible to use in openssh. > > > > OpenSSL 1.1.1+ also exports "raw" poly1305 primitive, but I > > have not tried it yet (it was...

...to set preferences for apps' usage, e.g. Postfix etc; Typically, here cat /etc/pki/tls/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-S...

...519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.co...

Hi Damien, >This is what I'm playing with at the moment: if you?re playing with this currently anyway, shouldn?t? >+ /* >+ * Otherwise, use the RFC4344 s3.2 recommendation of 2**(L/4) blocks >+ * before rekeying where L is the blocksize in bits. >+ * Most other ciphers have a 128 bit blocksize, so this equates to >+ * 2**32 blocks / 64GB data. >+ */ >+ return

On Wed, 29 Mar 2023, Thorsten Glaser wrote: > Hi Damien, > > >This is what I'm playing with at the moment: > > if you?re playing with this currently anyway, shouldn?t? > > >+ /* > >+ * Otherwise, use the RFC4344 s3.2 recommendation of 2**(L/4) blocks > >+ * before rekeying where L is the blocksize in bits. > >+ * Most other ciphers have a 128

On Thu, 30 Mar 2023, Damien Miller wrote: >> >+ return (uint64_t)1 << (c->block_size * 2); >> >> ? this get an upper bound? This is UB for 256-bit blocksizes >> at least? > >block sizes in struct sshcipher are in bytes, not bits Yes, exactly. 256 bit = 32 bytes; 32*2 = 64; (uint64_t)1 << 64 is UB. bye, //mirabilos -- Infrastrukturexperte ?

When testing chacha20-poly1305, I noticed that aes-gcm is significantly faster than aes-ctr or aes-cbs with umac. Even on systems w/o aes-ni or other recent instruction set additions. And there seems to be consensus in the crypto community that AEAD ciphers are the way forward. As such, it promoting the AEAD ciphers...

https://bugzilla.mindrot.org/show_bug.cgi?id=2729 Bug ID: 2729 Summary: Can connect with MAC hmac-sha1 even though it's not configured on the server Product: Portable OpenSSH Version: 7.5p1 Hardware: All OS: Linux Status: NEW Severity: security Priority: P5

...Assignee: unassigned-bugs at mindrot.org Reporter: sshedi at vmware.com Hi, This seems like a regression at first but there is a way to work around it. When fips is enabled at server end and server has the following cipher set, ``` root at phdev:~ $ sshd -T | grep ciphers ciphers chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com root at phdev:~ $ rpm -q openssh openssh-9.1p1-10.ph5.x86_64 (this happens with 9.4p1 as well) ``` The handshake with client starts with chacha20-poly1305 and this cipher is not fips compl...

...le strong KexAlgorithms, Ciphers and MACs in > /etc/ssh/sshd_config file as per the above ssh server version. For > example > as per below setting. > > KexAlgorithms > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- > hellman-group-exchange-sha256 > Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com, > aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, > umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256, > umac-128 at openssh.com > > Pleas...