diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-05-03 13:10:24 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-05-04 00:55:21 +1000 |
commit | 05855bf2ce7d5cd0a6db18bc0b4214ed5ef7516d (patch) | |
tree | 339bbd3dc536ea026fc9714deaa6642352367a66 /PROTOCOL.chacha20poly1305 | |
parent | cca3b4395807bfb7aaeb83d2838f5c062ce30566 (diff) | |
download | openssh-git-05855bf2ce7d5cd0a6db18bc0b4214ed5ef7516d.tar.gz |
upstream commit
clarify ordering of subkeys; pointed out by ietf-ssh AT
stbuehler.de
Upstream-ID: 05ebe9f949449a555ebce8e0aad7c8c9acaf8463
Diffstat (limited to 'PROTOCOL.chacha20poly1305')
-rw-r--r-- | PROTOCOL.chacha20poly1305 | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/PROTOCOL.chacha20poly1305 b/PROTOCOL.chacha20poly1305 index 9cf73a92..4857d385 100644 --- a/PROTOCOL.chacha20poly1305 +++ b/PROTOCOL.chacha20poly1305 @@ -34,6 +34,8 @@ Detailed Construction The chacha20-poly1305@openssh.com cipher requires 512 bits of key material as output from the SSH key exchange. This forms two 256 bit keys (K_1 and K_2), used by two separate instances of chacha20. +The first 256 bits consitute K_2 and the second 256 bits become +K_1. The instance keyed by K_1 is a stream cipher that is used only to encrypt the 4 byte packet length field. The second instance, @@ -101,5 +103,5 @@ References [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 -$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $ +$OpenBSD: PROTOCOL.chacha20poly1305,v 1.3 2016/05/03 13:10:24 djm Exp $ |