ChaCha20 Rekey Frequency
Chris Rapier
rapier at psc.edu
Thu Mar 30 00:38:38 AEDT 2023
I was wondering if there was something specific to the internal chacha20
cipher as opposed to OpenSSL implementation.
I can't just change the block size because it breaks compatibility. I
can do something like as a hack (though it would probably be better to
do it with the compat function):
if (strstr(enc->name, "chacha"))
*max_blocks = (u_int64_t)1 << (16*2);
else if (enc->block_size >= 16)
*max_blocks = (u_int64_t)1 << (enc->block_size*2);
else
*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
if (state->rekey_limit)
to force it to reduce the rekey rate but I'm deeply unsure of what
impact that would have on the security of the cipher as it's
implemented. Especially the without-openssl internal implementation.
Chris
On 3/24/23 4:36 PM, Christian Weisgerber wrote:
> Chris Rapier:
>
>> I'm wondering why the ChaCha20 cipher rekeys so frequently. At speed I'm
>> seeing rekeys every second or two. So I'm spending a large amount of
>> time in the rekey process. From what I've read about ChaCha20 it
>> shouldn't need to be rekeyed quite so frequently. Am I missing something
>> obvious?
>
> That looks to be accidental.
>
> The default rekey limit is set in ssh_set_newkeys():
> /*
> * The 2^(blocksize*2) limit is too expensive for 3DES,
> * so enforce a 1GB limit for small blocksizes.
> * See RFC4344 section 3.2.
> */
> if (enc->block_size >= 16)
> *max_blocks = (u_int64_t)1 << (enc->block_size*2);
> else
> *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
> if (state->rekey_limit)
> *max_blocks = MINIMUM(*max_blocks,
> state->rekey_limit / enc->block_size);
>
> And the block size of chacha20-poly1305 is set to 8 bytes in
> ciphers[]. As a result, chacha20-poly1305 is rekeyed every 1GB of
> data as opposed to the 4GB limit of the AES-based ciphers.
>
More information about the openssh-unix-dev
mailing list