RFE - XChaCha20 support #35
Comments
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Jan 6, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Jan 6, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
pushed a commit
to cipherboy/openbao
that referenced
this issue
Jan 21, 2024
* Move testing info to its own section in the README
cipherboy
pushed a commit
to cipherboy/openbao
that referenced
this issue
Jan 21, 2024
* Update deps * update changelog
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Feb 5, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Feb 5, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Feb 12, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
naphelps
pushed a commit
that referenced
this issue
Feb 12, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: #35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Copied from hashicorp/vault#13243, reported by @DemiMarie:
The text was updated successfully, but these errors were encountered: