Proposal: ChaCha20 and ChaCha20-Poly1305 Cipher implementations
Adam Petcher
adam.petcher at oracle.com
Thu Jan 25 19:45:00 UTC 2018
On 1/25/2018 12:20 PM, Jamil Nimeh wrote:
> Wrap and Unwrap: I have not been able to find a standardized
> wrap/unwrap format for ChaCha20 similar to RFC 3394 for AES. Right now
> the wrap() and unwrap() methods just take the encoding of the key to
> be wrapped and encrypts or decrypts them respectively. If anyone is
> aware of a wrapping format for ChaCha20 please let me know. My
> searches have so far come up empty.
I haven't found any standards for key wrap with ChaCha20, either. Until
these standards are developed, I think the implementation should throw
an exception when wrap/unwrap is requested.
The problems with simply encrypting are:
* No integrity protection in bare ChaCha20
* Need to generate a random nonce on wrap---this violates common
expectations about key wrap algorithms
* Not standard, so there is potential for confusion about what the key
wrap algorithm is actually doing
More information about the security-dev
mailing list