On Fri, Nov 22, 2013 at 3:57 PM, D. J. Bernstein <
d...@cr.yp.to> wrote:
> Apparently Google is deploying ChaCha20 as a TLS option. The Chromium
> ChaCha20 implementation doesn't correctly encrypt input messages larger
> than 256 GB---it simply repeats the first 256 GB of keystream, whereas
> the ChaCha20 definition actually allows messages up to 1099511627776 GB.
Note that the code in question is, essentially,
supercop-20130419/crypto_stream/chacha20/krovetz/stream.c, which has
the same size limitation.
> Apparently OpenSSL is refusing to take Google's ChaCha20 TLS patches
> until the patches are modified to support an updating API. Further
> discussion of this lunacy is obviously _much_ too interesting for the
> boring-crypto mailing list. :-)
As part of the ChaCha20 patches, I implemented an AEAD API in OpenSSL
because the existing one was kept in an odd place, disguised as
something else, and took all manner pokes and shakes to make it work.
In the interests of never exposing unauthenticated plaintext to the
user of the API, it's purely a one-shot affair; like secretbox and
secretbox_open. AES-GCM is also supported by this API and I understand
that there's an exciting new cryptographic standard called CMS[1] that
a) uses AES-GCM and b) requires streaming decryption of large
messages.
[1]
http://tools.ietf.org/html/rfc5652
Thus upstream thought it unwise to commit to a new API that didn't
support that use.
With a heavy heart I've now written a streaming, AEAD API that goes
alongside the one-shot version. But it's stalled in code review for
the moment.
> The NaCl development team has been discussing a related issue for some
> time, namely what the "AES" primitive should actually take as input.
> Right now it's a quite traditional counter mode, generating keystream
> AES(n), AES(n+1), AES(n+2), etc., but this means that the requirements
> on n are more than just "use a new n for each message"---it would be a
> problem to start the next message with n+1, for example. We've
> considered a 32-bit counter and a 96-bit nonce, which would fit nicely
> with GCM, but this raises the question of what to do (on a 64-bit
> machine) if some non-boring protocol asks for encryption of a plaintext
> larger than 64 gigabytes. What we're leaning towards is a 64-bit counter
> and a 64-bit nonce.
Any user of the API that requests a > 64GB operation is likely to
force some participant in the protocol to perform a streaming
(en/de)cryption. So it might be more boring to force all users to
produce < 64GB chunks.
However, a 96-bit nonce isn't comfortably long enough to pick at
random so there doesn't seem to be any benefit for 96 bits of nonce
over 64.
Cheers
AGL
--
Adam Langley
a...@imperialviolet.org http://www.imperialviolet.org