ChaCha20 Rekey Frequency
Christian Weisgerber
naddy at mips.inka.de
Sat Mar 25 07:36:05 AEDT 2023
Chris Rapier:
> I'm wondering why the ChaCha20 cipher rekeys so frequently. At speed I'm
> seeing rekeys every second or two. So I'm spending a large amount of
> time in the rekey process. From what I've read about ChaCha20 it
> shouldn't need to be rekeyed quite so frequently. Am I missing something
> obvious?
That looks to be accidental.
The default rekey limit is set in ssh_set_newkeys():
/*
* The 2^(blocksize*2) limit is too expensive for 3DES,
* so enforce a 1GB limit for small blocksizes.
* See RFC4344 section 3.2.
*/
if (enc->block_size >= 16)
*max_blocks = (u_int64_t)1 << (enc->block_size*2);
else
*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
And the block size of chacha20-poly1305 is set to 8 bytes in
ciphers[]. As a result, chacha20-poly1305 is rekeyed every 1GB of
data as opposed to the 4GB limit of the AES-based ciphers.
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the openssh-unix-dev
mailing list