Check Point Software Technologies Ltd.

5 Hasolelim st. Tel Aviv 6789735 Israel ynir.ietf@gmail.com

Security Area Internet-Draft This document describes the use of the ChaCha20 stream cipher along with the Poly1305 authenticator, combined into an AEAD algorithm for the Internet Key Exchange protocol (IKEv2) and for IPsec.

The Advanced Encryption Standard (AES - ) has become the gold standard in encryption. Its efficient design, wide implementation, and hardware support allow for high performance in many areas, including IPsec VPNs. On most modern platforms, AES is anywhere from 4x to 10x as fast as the previous most-used cipher, 3-key Data Encryption Standard (3DES - ). 3DES also has a 64-bit block, which means that the amount of data that can be encrypted before rekeying is required is not great. These reasons make AES not only the best choice, but the only choice. The problem is that if future advances in cryptanalysis reveal a weakness in AES, VPN users will be in an unenviable position. With the only other widely supported cipher being the much slower 3DES, it is not feasible to re-configure IPsec installations to use 3DES. describes this issue and the need for a standby cipher in greater detail. This document proposes the ChaCha20 stream cipher as such a standby cipher in an Authenticated Encryption with Associated Data (AEAD) construction with the Poly1305 authenticator for use with the Encapsulated Security Protocol (ESP - ) and the Internet Key Exchange Protocol (IKEv2 - ). The algorithms are described in a separate document (). This document only describes the IPsec-specific things.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

AEAD_CHACHA20_POLY1305 is a combined mode algorithm, or AEAD. The construction follows the AEAD construction in section 2.8 of : The Initialization Vector (IV) is 64-bit, and is used as part of the nonce. The IV MUST be unique for each invocation for a particular SA but does not need to be unpredictable. The use of a counter or a linear feedback shift register (LFSR) is RECOMMENDED. A 32-bit Salt is prepended to the 64-bit IV to form the 96-bit nonce. The salt is fixed per SA and it is not transmitted as part of the ESP packet. The encryption key is 256-bit. The Internet Key Exchange protocol generates a bitstring called KEYMAT using a pseudo-random function (PRF). That KEYMAT is divided into keys for encryption, message authentication and whatever else is needed. The KEYMAT requested for each ChaCha20-Poly1305 key is 36 octets. The first 32 octets are the 256-bit ChaCha20 key, and the remaining four octets are used as the Salt value in the nonce. The ChaCha20 encryption algorithm requires the following parameters: a 256-bit key, a 96-bit nonce, and a 32-bit initial block counter. For ESP we set these as follows: The key is set as mentioned above. The 96-bit nonce is formed from a concatenation of the 32-bit Salt and the 64-bit IV, as described above. The Initial Block Counter is set to one (1). The reason that one is used for the initial counter rather than zero is that zero is reserved for generating the one-time Poly1305 key (see below) As the ChaCha20 block function is not applied directly to the plaintext, no padding should be necessary. However, in keeping with the specification in RFC 4303, the plaintext always has a pad length octet and may require padding bytes so as to align the buffer to an integral multiple of 4 octets. The same key and nonce, along with a block counter of zero are passed to the ChaCha20 block function, and the top 256 bits of the result are used as the Poly1305 key. The nonce passed to the block function here is the same nonce that is used in ChaCha20, including the 32-bit Salt, and the key passed is the same as the encryption key. Finally, the Poly1305 function is run on the data to be authenticated, which is, as specified in section 2.8 of a concatenation of the following in the below order: The Authenticated Additional Data (AAD) - see . Padding that rounds the length up to 16 bytes. This is 4 or 8 bytes depending on whether extended sequence numbers (ESN) is set for the SA. The padding is all zeros. The ciphertext Padding that rounds the total length up to an integral multiple of 16 bytes. This padding is also all zeros. The length of the additional authenticated data (AAD) in octets (as a 64-bit little-endian integer). The length of the ciphertext in octets (as a 64-bit little-endian integer). The 128-bit output of Poly1305 is used as the tag. All 16 bytes are included in the packet. The encryption algorithm transform ID for negotiating this algorithm in IKE is TBA by IANA.

The construction of the Additional Authenticated Data (AAD) is similar to the one in . For security associations (SAs) with 32-bit sequence numbers the AAD is 8 bytes: 4-byte SPI followed by 4-byte sequence number ordered exactly as it is in the packet. For SAs with ESN the AAD is 12 bytes: 4-byte SPI followed by an 8-byte sequence number as a 64-bit network order integer.

AEAD algorithms can be used in IKE, as described in . More specifically: The Encrypted Payload is as described in section 3 of that document. The ChaCha20-Poly1305 keying material is derived from KEYMAT as for ESP: 36 octets are requested, of which the first 32 form the key and the last 4 form the salt. The IV is 64 bits, as described in . The AAD is as described in section 5.1 of RFC 5282, so it's 32 bytes (28 for the IKEv2 header + 4 bytes for the encrypted payload header) assuming no unencrypted payloads.

When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or IPsec, the value xxx (TBA by IANA) should be used in the transform substructure of the SA payload as the ENCR (type 1) transform ID. As with other AEAD algorithms, INTEG (type 3) transform substructures MUST NOT be specified or just one INTEG transform MAY be included with value NONE (0).

The ChaCha20 cipher is designed to provide 256-bit security. The Poly1305 authenticator is designed to ensure that forged messages are rejected with a probability of 1-(n/(2^102)) for a 16n-byte message, even after sending 2^64 legitimate messages, so it is SUF-CMA in the terminology of . The most important security consideration in implementing this draft is the uniqueness of the nonce used in ChaCha20. The nonce should be selected uniquely for a particular key, but unpredictability of the nonce is not required. Counters and LFSRs are both acceptable ways of generating unique nonces. Another issue with implementing these algorithms is avoiding side channels. This is trivial for ChaCha20, but requires some care for Poly1305. Considerations for implementations of these algorithms are in the document.

IANA is requested to assign one value from the IKEv2 "Transform Type 1 - Encryption Algorithm Transform IDs" registry, with name ENCR_CHACHA20_POLY1305, and this document as reference for both ESP and IKEv2.

All of the algorithms in this document were designed by D. J. Bernstein. The AEAD construction was designed by Adam Langley. The author would also like to thank Adam for helpful comments, as well as Yaron Sheffer for telling me to write the algorithms draft. Thanks also to Martin Willi for pointing out the discrepancy with the final version of the algorithm document, and to Valery Smyslov and Tero Kivinen for helpful comments on this draft.

Harvard University

1350 Mass. Ave. Cambridge MA 02138 - +1 617 495 3864 sob@harvard.edu

General keyword Google Inc. Check Point National Institute of Standards and Technology National Institute of Standards and Technology Cisco Systems, Inc. Cisco Systems, Inc. Porticor Sun Microsystems, Inc. Sun Microsystems, Inc.

For this example, we will use a tunnel-mode ESP SA using the ChaCha20-Poly1305 algorithm. The keying material is as follows:

Obviously not a great PRF. The first 32 octets are the key and the final four octets (0xa0 0xa1 0xa2 0xa3) are the salt. For the packet, we will use an ICMP packet from 198.51.100.5 to 192.0.2.5:

The SA details are as follows: The key and Salt are as above. The SPI is 0x01 0x02 0x03 0x04. The next sequence number is 5; ESN is not enabled. The gateway IP address for this side is 203.0.113.153; The peer address is 203.0.113.5. NAT was not detected. The 64-bit IV is 0x10 0x11 0x12 0x13 0x14 0x15 0x16 0x17. Putting together the salt and IV we get the nonce:

The plaintext to encrypt consists of the source IP packet plus the padding:

With the key, nonce and plaintext available, we can call the ChaCha20 function and encrypt the packet, producing the ciphertext:

To calculate the tag, we need a one-time Poly1305 key, which we calculate by calling the ChaCha20 function again with the same key and nonce, but a block count of zero.

The AAD is constructed by concatenating the SPI to the sequence number:

The input to the Poly1305 function is constructed by concatenating and padding the AAD and ciphertext:

The resulting tag is:

Putting it all together, the resulting packet is as follows:

For the IKEv2 example, we'll use the following: The key is 0x80..0x9f, the same as in . The Salt is 0xa0 0xa1 0xa2 0xa3. The IV will also be the same as in the previous example. The fact that the IV and Salt are both the same means that the nonce is also the same. Because the key and nonce are the same, so is the one-time Poly1305 key. The packet with be an Informational request carrying a single payload: A Notify payload with type SET_WINDOW_SIZE, setting the window size to 10. iSPI = 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7. rSPI = 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7. Message ID shall be 9.

Padding as required by RFC 7296:

The AAD is constructed by appending the IKE header to the encrypted payload header. Note that the length field in the IKE header and the length field in the encrypted payload header have to be calculated before constructing the AAD:

In this case, the length of the AAD is an integral multiple of 16, so when constructing the input to Poly1305 there was no need for padding. The ciphertext is also 16 octets long, so the construction has no padding at all. Just 32 octets of AAD, 16 octets of ciphertext, and two 8-octet length fields in little-endian encoding.

The below file in the snoop format contains three packets: The first is the ICMP packet from the example in the , the second is the ESP packet from the same appendix, and the third is the IKEv2 packet from this appendix. To convert this text back into a file, you can use a Unix command line tools such as "openssl enc -d -a":