chacha20+poly1305 authenticated encryption
Jon Cave
jon.cave at mwrinfosecurity.com
Mon Dec 2 01:28:54 EST 2013
There is a small typo in the new protocol document where it mistakenly
references "Poly1306".
- Jon
Index: usr.bin/ssh/PROTOCOL.chacha20poly1305
===================================================================
RCS file: /cvs/src/usr.bin/ssh/PROTOCOL.chacha20poly1305,v
retrieving revision 1.1
diff -u -r1.1 PROTOCOL.chacha20poly1305
--- usr.bin/ssh/PROTOCOL.chacha20poly1305 21 Nov 2013 00:45:43 -0000 1.1
+++ usr.bin/ssh/PROTOCOL.chacha20poly1305 1 Dec 2013 14:15:21 -0000
@@ -47,7 +47,7 @@
the MAC. By using an independently-keyed cipher instance to encrypt the
length, an active attacker seeking to exploit the packet input handling
as a decryption oracle can learn nothing about the payload contents or
-its MAC (assuming key derivation, ChaCha20 and Poly1306 are secure).
+its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure).
The AEAD is constructed as follows: for each packet, generate a Poly1305
key by taking the first 256 bits of ChaCha20 stream output generated
More information about the openssh-unix-dev
mailing list