| version 1.1, 2013/11/21 00:45:43 |
version 1.2, 2013/12/02 02:50:27 |
|
|
| the MAC. By using an independently-keyed cipher instance to encrypt the |
the MAC. By using an independently-keyed cipher instance to encrypt the |
| length, an active attacker seeking to exploit the packet input handling |
length, an active attacker seeking to exploit the packet input handling |
| as a decryption oracle can learn nothing about the payload contents or |
as a decryption oracle can learn nothing about the payload contents or |
| its MAC (assuming key derivation, ChaCha20 and Poly1306 are secure). |
its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure). |
| |
|
| The AEAD is constructed as follows: for each packet, generate a Poly1305 |
The AEAD is constructed as follows: for each packet, generate a Poly1305 |
| key by taking the first 256 bits of ChaCha20 stream output generated |
key by taking the first 256 bits of ChaCha20 stream output generated |
![[BACK]](/icons/back.gif){kind=icon}
Return to PROTOCOL.chacha20poly1305 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh