I read draft-ietf-ipsecme-chacha20-poly1305 on Friday last, and then found that I needed to further review draft-nir-cfrg-chacha20-poly1305-06 to better understand the questions in para 2 of the security considerations, the question about the uniqueness the nonce, so my initial reading, being mostly ignorant about ChaCha and Poly1305 was very confusing.
(In preparing this email, I was also using the -05 document, which I see is
new. I think that I read -03 on Friday. -04 seems to have been skipped?)
I had not yet read any of the discussion on the list (intentionally) so as
to judge whether I understood the document on it's own.
{in preparing this email, I read the thread afterwards, and I now see that
some discussion was previously about IV being derived from replay counter, a
notion which I think has been removed from the ID. I don't think that I have
any new questions; I think that after having read the document well, that
I can implement from the documents as they are}
I don't understand:
> As the ChaCha20 block function is not applied directly to the
> plaintext, no padding should be necessary. However, in keeping with
could this be a typo ChaCha20 vs Poly1305?
If the encryption algorithm is now applied directly, then what is?
Or is meant that the block function for ChaCha20 used only to generate
bits for a stream cipher, and the XOR is what is "applied directly"?
> The same key and nonce, along with a block counter of zero are passed
> to the ChaCha20 block function, and the top 256 bits of the result
> are used as the Poly1305 key. The nonce passed to the block
> function here is the same nonce that is used in ChaCha20, including the
> 32-bit
> Salt, and the key passed is the same as the encryption key.
I think that if I have a block encryption function, that I need to encrypt
something to get an output. I don't know what that is here....
Later I understood from reading cfrg-chacha20 that the ChaCha20 block
function acts as a prng, and that's why this is a stream ciper, not a block
cipher. The use of the term "block function" here was confusing to me.
At first, I understand the nonce, was going to be the IV. Was there some
discussion/options in a previous version of the draft?
I initially understood that the the 32-bit block counter would be taken from
the replay counter, but now I see that this is incorrect, that it's unrelated
to the replay counter, and that I misunderstood at first.
So the Salt is really part of the key material. We have a 36-byte key. It
matters to people debugging things with a tool like TCPDUMP, that they know they
should expect 36-bytes.
Is this diagram correct:
keymat: iv: ctr:
+-----------------------+----+ +--------+ +----+
|01234567890123456789012|0123| |abcdefgh| |0001|
+-----------------------+----+ +--------+ +----+
| | | |
| | | |
| | | |
key: V nonce: V block V
+-----------------------+ +------------+ ctr:+----+
|01234567890123456789012| |0123abcdefgh| |00xx|
+-----------------------+ +------------+ +----+
words: 4-11 words: 13-15 word 12
\-----\ /------------\ /-----------------------------/
\/ \ /
| ctr=0 \/ 64-byte chunks prng
| ||
| |^^xor^ --< plaintext+padding+NH
| replay# ||
| spi# +----------+
| | | cipher |
| | /--<--| text |
| | | +----------+
| | | |
| | | |
V V V |
/----------\ |
| Poly1305 | |
| algo | |
\----------/ |
V V
+----+
|MIC |
+----+
I am very very very happy that cfrg-chacha20 has so many examples in it.
That's really awesome.
It wasn't until I read all of cfrg-chacha20 that I understood that the
Poly1305 needs to seeded for *each* packet. I also think that the Poly1305
is not used in an HMAC construction.
I think that the IANA considerations of ipsecme-chacha20-poly1305 should say
something like,
"According to cfrg-chacha20, Poly-1305 is not suitable for
use as a PRF for IKEv2, and this specification explicitely
does not allocate a code point for that."
=====
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
