Contributed by jcr on from the the-poly-cha-cha-is-the-new-dance-craze dept.
OpenBSD developer Damien Miller (djm@) wrote a great post titled "ChaCha20 and Poly1305 in OpenSSH" and below is a small excerpt:
Recently, I committed support for a new authenticated encryption cipher for OpenSSH, chacha20-poly1305@openssh.com. This cipher combines two primitives from Daniel J. Bernstein: the ChaCha20 cipher and the Poly1305 MAC (Message Authentication Code) and was inspired by Adam Langley's similar proposal for TLS.
Why another cipher and MAC? A few reasons... First, we would like a high-performance cipher to replace RC4 since it is pretty close to broken now, we'd also like an authenticated encryption mode to complement AES-GCM - which is great if your hardware supports it, but takes significant voodoo to make run in constant time and, finally, having an authenticated encryption mode that is based on a stream cipher allows us to encrypt the packet lengths again.
Wait, what do you mean by "encrypt the packet lengths again"? (last rhetorical question, I promise) Well, it's a long story that requires a little background...
(Comments are closed)
By Andreas Andersson (85.230.125.88) on
By Anonymous Coward (94.217.21.23) on
Comments
By \\ (2001:470:e4ef:1:ba97:5aff:fe04:fa60) on
Use RSA
Comments
By Anonymous Coward (178.7.28.75) on
>
> Use RSA
It's a fix, not a solution. If it's likely to be backdoored, they should pull it.
By Anonymous Coward (cnst) on http://bxr.su/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305
Is it just "a high-performance cipher to replace RC4 since it is pretty close to broken now" (to quote djm), or is it a great choice to use as the default protocol on, say, new x86 installations, where crypto use by ssh isn't know to be a bottleneck?