Nikos Mavrogiannopoulos nmav@gnutls.org writes:
Are you sure that these will not be updated to follow the final document? It would be sad to have protocols following an early draft and others the final.
These days, I'm not following ssh as closely as I'd like to. But I think current use of chacha-poly1305 is specified by openssh, not really standardized.
I'm considering raising this on the ietf-ssh list (if no one else is quicker).
Compared to the openssh implementation I'd like to
1. Make the AEAD processing compatible with the upcoming RFC.
2. Use leftover bits from the first chacha block to encrypt the packet size, instead of using a separate chacha context for that.
I think (2) may seem a bit odd, and it means that the chacha-poly1305 implementation needs to expose those bits. But I think it makes sense in the ssh context. In nettle, it could be supported with a variant of chacha_poly1305_set_nonce with some additional argument.
And then there's some general issues on how to deal with aead algorithms in the ssh algorithm negotiation, which was designed for separate encryption and mac; those have been discussed on the ietf-ssh list but I don't remember the conclusion, if any.
Regards, /Niels