New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing function to seal a message with a recipient public key and a nonce #254
Comments
Swift-sodium, intentionally hides the nonce management as an implementation detail. It's trivial to extend behaviour if you need to override, but why? |
I agree that a reuse of a nonce results in a catastrophic loss of security. But for my purposes I need to know the exact nonce which is used to encrypt a message with a public key and add it to my encrypted file data so it supports the decryption process on my other ends. Is there a way to achieve this? |
Yep just change this line to use your custom nonce:
|
I appreciate your help! But this would lead to the same nonce being re-used every single time right? I still want to use a new random nonce every time. I just want to either know which nonce is used to encrypt the message or be able to pass a custom nonce. And even if I would set a custom nonce in the line you provided, the function Any other ideas? |
Ah my mistake, anonymous boxes (unlike the authenticated variant) use the following structure:
Which is why you don't see a nonce call, the nonce is the blake2b digest of the concatenation of the ephemeral_pk and the recipient_pk - which due to the ephemeral nature of the former will always be random. So, you can strip the last Alternatively there is a static:static variant which allows nonce specification, but you require key pairs for sender and recipient. @jedisct1 - let me know if I'm off base with this advice, but I think I'm correct. |
EDIT: actually the better way to do it is strip from the anonymous cipher text the prefix representing Then hash it concatenated with your recipients pk. Then you have the nonce. |
In Swift, The output is the concatenation of the nonce and the ciphertext. So, if you want the nonce, just extract the 24 first bytes. |
@jedisct1 - the anonymous public key encryption maps to the i.e.: https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes I think the answer here is to reconstitute the nonce the same way the
|
The anonymous one, but I don't think this is what the OP is referring to. |
Your explanation definitely clarifies some things for me. So if I understand this correctly the |
@timlangner - first are you using the anonymous or authenticated encryption? i.e: Anonymous Encryption (Sealed Boxes) OR Authenticated Encryption? |
Scratch that, I was confused with |
I'm using anonymous encryption |
@timlangner in that case you need to do what I suggest above. First 24 Bytes is only the nonce with authenticated boxes. With sealed boxes you need to calculate it as:
Where you know the i.e. ephemeral_pk ‖ cc: @jedisct1 |
It's good to know that the nonce is not encoded in the first 24 bytes in both cases. That makes a difference in my decryption process. In the tweet-nacl-js-sealed-box library used for the frontend the nonce is always 24 bytes long. |
Hi!
I would like to seal a message with a given public key and a nonce. However, it seems like that I cannot provide my own nonce.
I'm using
sodium.box.seal(message: Bytes, recipientPublicKey: Box.PublicKey)
right now which doesn't take a nonce as an argument.A similar function which does this is implemented in the tweetnacl-js-sealed-box library.
Kind regards
Tim
The text was updated successfully, but these errors were encountered: