Missing function to seal a message with a recipient public key and a nonce #254
Comments
|
Swift-sodium, intentionally hides the nonce management as an implementation detail. It's trivial to extend behaviour if you need to override, but why? |
|
I agree that a reuse of a nonce results in a catastrophic loss of security. But for my purposes I need to know the exact nonce which is used to encrypt a message with a public key and add it to my encrypted file data so it supports the decryption process on my other ends. Is there a way to achieve this? |
|
Yep just change this line to use your custom nonce: |
|
I appreciate your help! But this would lead to the same nonce being re-used every single time right? I still want to use a new random nonce every time. I just want to either know which nonce is used to encrypt the message or be able to pass a custom nonce. And even if I would set a custom nonce in the line you provided, the function Any other ideas? |
|
Ah my mistake, anonymous boxes (unlike the authenticated variant) use the following structure:
Which is why you don't see a nonce call, the nonce is the blake2b digest of the concatenation of the ephemeral_pk and the recipient_pk - which due to the ephemeral nature of the former will always be random. So, you can strip the last Alternatively there is a static:static variant which allows nonce specification, but you require key pairs for sender and recipient. @jedisct1 - let me know if I'm off base with this advice, but I think I'm correct. |
|
EDIT: actually the better way to do it is strip from the anonymous cipher text the prefix representing Then hash it concatenated with your recipients pk. Then you have the nonce. |
|
In Swift, The output is the concatenation of the nonce and the ciphertext. So, if you want the nonce, just extract the 24 first bytes. |
|
@jedisct1 - the anonymous public key encryption maps to the i.e.: https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes I think the answer here is to reconstitute the nonce the same way the
|
|
The anonymous one, but I don't think this is what the OP is referring to. |
|
Your explanation definitely clarifies some things for me. So if I understand this correctly the |
|
@timlangner - first are you using the anonymous or authenticated encryption? i.e: Anonymous Encryption (Sealed Boxes) OR Authenticated Encryption? |
|
Scratch that, I was confused with |
|
I'm using anonymous encryption |
|
@timlangner in that case you need to do what I suggest above. First 24 Bytes is only the nonce with authenticated boxes. With sealed boxes you need to calculate it as:
Where you know the i.e. ephemeral_pk ‖ cc: @jedisct1 |
|
It's good to know that the nonce is not encoded in the first 24 bytes in both cases. That makes a difference in my decryption process. In the tweet-nacl-js-sealed-box library used for the frontend the nonce is always 24 bytes long. |
Hi!
I would like to seal a message with a given public key and a nonce. However, it seems like that I cannot provide my own nonce.
I'm using
sodium.box.seal(message: Bytes, recipientPublicKey: Box.PublicKey)right now which doesn't take a nonce as an argument.A similar function which does this is implemented in the tweetnacl-js-sealed-box library.
Kind regards
Tim
The text was updated successfully, but these errors were encountered: