-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE - XChaCha20 support #35
Comments
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Jan 6, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Jan 6, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
pushed a commit
to cipherboy/openbao
that referenced
this issue
Jan 21, 2024
* Move testing info to its own section in the README
cipherboy
pushed a commit
to cipherboy/openbao
that referenced
this issue
Jan 21, 2024
* Update deps * update changelog
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Feb 5, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Feb 5, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
added a commit
to cipherboy/openbao
that referenced
this issue
Feb 12, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: openbao#35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
naphelps
pushed a commit
that referenced
this issue
Feb 12, 2024
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached. By using a larger nonce (24-bytes), key rotation can be avoided. Resolves: #35 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Copied from hashicorp/vault#13243, reported by @DemiMarie:
The text was updated successfully, but these errors were encountered: