search

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
https://developers.google.com/tink
Apache License 2.0
13.47k stars 1.18k forks source link

Allow setting of nonce when encrypting a payload with XChaCha20Poly1305 #292

Closed bdemers closed 4 years ago

bdemers commented 4 years ago

The algorithm used to generate Paseto tokens requires the nonce to be encoded into the token (as well as used to create the cipher text)

See: https://paseto.io/rfc/

   3.  Calculate BLAKE2b of the message "m" with the output of step 2 as
       the key, with an output length of 24.  This will be our nonce,
       "n".

       *  This step is to ensure that an RNG failure does not result in
          a nonce-misuse condition that breaks the security of our
          stream cipher.

   4.  Pack "h", "n", and "f" together (in that order) using PAE (see
       Section 2.2).  We'll call this "preAuth".

   5.  Encrypt the message using XChaCha20-Poly1305, using an AEAD
       interface such as the one provided in libsodium.  (See below for
       pseudocode.)

   6.  If "f" is:

       *  Empty: return h || b64(n || c)

       *  Non-empty: return h || b64(n || c) || "." || base64url(f)

       *  ...where || means "concatenate"

                c = crypto_aead_xchacha20poly1305_encrypt(
                    message = m
                    aad = preAuth
                    nonce = n
                    key = k
                );

               Step 5: PASETO v2 encryption (calculating c)
thaidn commented 4 years ago

I'm sorry, but we cannot make this change. Tink is all about avoiding asking users for critical input.

On a side note, PASETO should use a randomly generated nonce. Deriving it from the message does not really enhance security against RNG failure, see https://github.com/paragonie/paseto/issues/103.

bdemers commented 4 years ago

Thanks for following up (and the link)!