search

cloudflare / sslconfig

Cloudflare's Internet facing SSL configuration
BSD 3-Clause "New" or "Revised" License
1.3k stars 132 forks source link

Implement CHACHA20_POLY1305 #4

Closed i-rme closed 9 years ago

i-rme commented 9 years ago

This cypher suite triples the speed on smartphones compared to AES_128_GCM, it is implemented in stable Chrome releases (both mobile and desktop) and I hope Firefox will implement it too.

Chrome is been used by 49% of all internet users worldwide so this cipher would benefit at least half of Clouflare´s hits.

image

ChaCha20-Poly1305

This cipher (technically an AEAD, not a cipher, as is AES-GCM) also has no known breaks but is designed to facilitate fast and secure software implementations. For situations where hardware AES-GCM support is not available, it provides a fast alternative. Even when AES-GCM hardware is provided, ChaCha20-Poly1305 is currently within a factor of two in speed.

http://googleonlinesecurity.blogspot.com.es/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html

Earlier this year, we deployed a new TLS cipher suite in Chrome that operates three times faster than AES-GCM on devices that don’t have AES hardware acceleration, including most Android phones, wearable devices such as Google Glass and older computers. This improves user experience, reducing latency and saving battery life by cutting down the amount of time spent encrypting and decrypting data.

The benefits of this new cipher suite include: Better security: ChaCha20 is immune to padding-oracle attacks, such as the Lucky13, which affect CBC mode as used in TLS. By design, ChaCha20 is also immune to timing attacks. Check out a detailed description of TLS ciphersuites weaknesses in our earlier post. Better performance: ChaCha20 and Poly1305 are very fast on mobile and wearable devices, as their designs are able to leverage common CPU instructions, including ARM vector instructions. Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes. This represents a 16% reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA. The expected acceleration compared to AES-GCM for various platforms is summarized in the chart below. http://googleonlinesecurity.blogspot.com.es/2014/04/speeding-up-and-strengthening-https.html

PiotrSikora commented 9 years ago

Stay tuned ;)

centminmod commented 9 years ago

Yup I am already using Cloudflare patch along with patched OpenSSL 1.0.2 with chacha20_poly1305 support at https://sslspdy.com/ works nice :)

DomT4 commented 9 years ago

@centminmod Is there an updated ChaCha_Poly patch for the 1.0.2 branch? I spoke the OpenSSL team last week and was told AGL's patch to implement those two ciphers was "out of date".

centminmod commented 9 years ago

@DomT4 I am using Peter Mosmans OpenSSL 1.0.2 patched maintained repo version https://www.onwebsecurity.com/cryptography/openssl and https://github.com/PeterMosmans/openssl

grittygrease commented 9 years ago

See https://github.com/cloudflare/sslconfig/pull/5, it's a faster implementation than can be found in Chrome or BoringSSL.

DomT4 commented 9 years ago

@centminmod Thanks. He did actually email me the link off-list, but I hadn't checked it out yet.