Proposal: ChaCha20 and ChaCha20-Poly1305 Cipher implementations
Jamil Nimeh
jamil.j.nimeh at oracle.com
Thu Jan 25 20:29:08 UTC 2018
On 1/25/2018 11:45 AM, Adam Petcher wrote:
> On 1/25/2018 12:20 PM, Jamil Nimeh wrote:
>
>> Wrap and Unwrap: I have not been able to find a standardized
>> wrap/unwrap format for ChaCha20 similar to RFC 3394 for AES. Right
>> now the wrap() and unwrap() methods just take the encoding of the key
>> to be wrapped and encrypts or decrypts them respectively. If anyone
>> is aware of a wrapping format for ChaCha20 please let me know. My
>> searches have so far come up empty.
>
> I haven't found any standards for key wrap with ChaCha20, either.
> Until these standards are developed, I think the implementation should
> throw an exception when wrap/unwrap is requested.
>
> The problems with simply encrypting are:
>
> * No integrity protection in bare ChaCha20
> * Need to generate a random nonce on wrap---this violates common
> expectations about key wrap algorithms
> * Not standard, so there is potential for confusion about what the key
> wrap algorithm is actually doing
>
>
>
Yeah, that makes sense to me. Unless we find that there is some
standardized format for wrap/unwrap I'll have it throw
UnsupportedOperationException.
--Jamil
More information about the security-dev
mailing list