Hacker News new | ask | show | jobs
by stock_toaster 3540 days ago 

  > (X25519 is also the default between Chrome and
  > web servers: https://www.chromestatus.com/feature/5682529109540864 )
I thought chacha20/poly was the default. That's what I get when I connect to https://www.google.com with chrome (chrome-53) at any rate.
2 comments
wolf550e 3539 days ago
TLS cipher suites have five parts:

  1. key exchange:
    PSK - for embedded only
    RSA - obsolete because it doesn't provide PFS
    DHE - secure only if 2048 bits and up
    ECDHE - usually using P-256, secure
    ECDHE with Curve25519, called "X25519" - secure
    CECPQ1 - Google experiment in post quantum crypto
  2. authentication:
    PSK - for embedded only
    RSA encryption/decryption - obsolete because it doesn't provide PFS
    RSA signing and verification - secure if keys are 2048 bits and up
    ECDSA signing and verification - usually over P-256, secure
    EdDSA signing and verification - draft standard, uses Curve25519 and Curve448, secure
  3. cipher (for confidentiality):
    RC4 - disallowed
    3DES - obsolete because of sweet32
    AES-128 - good, requires AES hardware to be both fast and secure
    AES-256 - same as AES-128 but is required for post-quantum and against parallel attacks on many keys
    CHACHA20 - good, is fast on generic hardware
  4. MAC (to protect against tampering which usually breaks confidentiality):
    HMAC-MD5 - obsolete
    HMAC-SHA1 - ok
    HMAC-SHA256 and HMAC-SHA384 - no more secure than SHA1 for this use case
    GCM - faster than HMAC, requires CLMUL CPU instruction to be fast
    POLY-1305 - fast and secure on generic hardware
  5. KDF used to generate symmetric keys:
    MD5+SHA1 - obsolete, probably ok
    HMAC-SHA1 - ok
    HMAC-SHA256 and HMAC-SHA384 - no more secure than SHA1 for this use case
Originally 5 was the same as 4 and was not specified separately. Also, many details omitted.

But anyway, chacha20-poly1305 is actually one of these [1]:

   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
   TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
   TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
   TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
   TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
   TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
and you use only the first two from the list. The "ECDHE" part can be regular ECDHE with P-256 or X25519.

1 - https://tools.ietf.org/html/rfc7905#section-2

link
djsumdog 3539 days ago
This is a really good list. Those long cryptic string constants make a lot more sense now.
link
tveita 3539 days ago
ChaCha20-Poly1305 is a symmetric cipher, used for encrypting your traffic. X25519 is an key exchange protocol using asymmetric cryptography, and is used in during connection setup to establish keys for the symmetric cipher.

X25519 would appear under "Key exchange" and ChaCha20-poly1305 under "Cipher Suite"

With Chromium I just get ECDHE_RSA and AES_128_GCM, anyway.

link