chacha20+poly1305 authenticated encryption
Damien Miller
djm at mindrot.org
Mon Dec 2 13:50:35 EST 2013
committed - thanks
On Sun, 1 Dec 2013, Jon Cave wrote:
> There is a small typo in the new protocol document where it mistakenly
> references "Poly1306".
>
> - Jon
>
> Index: usr.bin/ssh/PROTOCOL.chacha20poly1305
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/PROTOCOL.chacha20poly1305,v
> retrieving revision 1.1
> diff -u -r1.1 PROTOCOL.chacha20poly1305
> --- usr.bin/ssh/PROTOCOL.chacha20poly1305 21 Nov 2013 00:45:43 -0000 1.1
> +++ usr.bin/ssh/PROTOCOL.chacha20poly1305 1 Dec 2013 14:15:21 -0000
> @@ -47,7 +47,7 @@
> the MAC. By using an independently-keyed cipher instance to encrypt the
> length, an active attacker seeking to exploit the packet input handling
> as a decryption oracle can learn nothing about the payload contents or
> -its MAC (assuming key derivation, ChaCha20 and Poly1306 are secure).
> +its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure).
>
> The AEAD is constructed as follows: for each packet, generate a Poly1305
> key by taking the first 256 bits of ChaCha20 stream output generated
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list