diff options
Diffstat (limited to 'PROTOCOL.chacha20poly1305')
| -rw-r--r-- | PROTOCOL.chacha20poly1305 | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/PROTOCOL.chacha20poly1305 b/PROTOCOL.chacha20poly1305 index 9cf73a92..0bfff28d 100644 --- a/PROTOCOL.chacha20poly1305 +++ b/PROTOCOL.chacha20poly1305 @@ -16,7 +16,7 @@ that computes a 128 bit integrity tag given a message and a single-use The chacha20-poly1305@openssh.com combines these two primitives into an authenticated encryption mode. The construction used is based on that proposed for TLS by Adam Langley in [3], but differs in the layout of -data passed to the MAC and in the addition of encyption of the packet +data passed to the MAC and in the addition of encryption of the packet lengths. Negotiation @@ -34,6 +34,8 @@ Detailed Construction The chacha20-poly1305@openssh.com cipher requires 512 bits of key material as output from the SSH key exchange. This forms two 256 bit keys (K_1 and K_2), used by two separate instances of chacha20. +The first 256 bits constitute K_2 and the second 256 bits become +K_1. The instance keyed by K_1 is a stream cipher that is used only to encrypt the 4 byte packet length field. The second instance, @@ -101,5 +103,5 @@ References [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 -$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $ +$OpenBSD: PROTOCOL.chacha20poly1305,v 1.5 2020/02/21 00:04:43 dtucker Exp $ |