Problems with CipherBox and AEAD

Bradford Wetmore bradford.wetmore at oracle.com
Tue Oct 13 22:54:17 UTC 2015


A couple comments:

 > Were ChaCha20 and Poly1305 based cipher suites accepted as IETF RFC?
 > Looks like the proposal was not moving forward since May, 2014.
 >
 >      https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04

AFAIK, CHACHA20/Poly1305 based suites were never issued ciphersuite numbers.

     http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

The following suites are in the "Unassigned" section, so I assume they 
are just for this draft:

    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   = {0xcc, 0x13}
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xcc, 0x14}
    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 =     {0xcc, 0x15}

As you probably know, we haven't supported anything like that (Stream 
cipher + Poly1305 as an AEAD).  I wouldn't be surprised if there were 
other problems.

Brad



On 10/12/2015 7:14 PM, Xuelei Fan wrote:
> Were ChaCha20 and Poly1305 based cipher suites accepted as IETF RFC?
> Looks like the proposal was not moving forward since May, 2014.
>
>      https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04
>
> Thanks,
> Xuelei
>
> On 10/11/2015 3:59 PM, Thomas Lußnig wrote:
>> Hi,
>>
>> when i extends "sun.security.ssl.CipherSuite" with
>>      final static BulkCipher B_CHACHA20_POLY1305 = new
>> BulkCipher("CHACHA20_POLY1305", AEAD_CIPHER  , 32 ,32,  0,  0, true );
>> i found an Problem in "sun.security.ssl.CipherBox
>> Method "applyExplicitNonce" there for the AEAD_CIPHER case is an NPE if
>> the IV Length is zero. Then fixedIv become null
>> and there is an NPE. The Workaround for this is
>>      final byte[] iv;
>>      if(this.fixedIv == null) { // FIX for CHACHA
>>          iv = new byte[this.recordIvSize];              // CHACHA fix
>>          bb.get(iv, 0, this.recordIvSize);
>>      } else {
>>          iv = Arrays.copyOf(this.fixedIv, this.fixedIv.length +
>> this.recordIvSize);
>>          bb.get(iv, this.fixedIv.length, this.recordIvSize);
>>      }
>> Another problem would occour if i use "new
>> BulkCipher("CHACHA20_POLY1305", AEAD_CIPHER  , 32 ,32,  8,  8, true );"
>> Then in createExplicitNonce the nonce should become zero size but is
>> fixed length for AEAD of 8 bytes.
>> Both was seen in JDK-1.8.0_60
>>
>> Gruß Thomas Lußnig
>>
>


More information about the security-dev mailing list