On 1/25/2018 11:45 AM, Adam Petcher wrote:
On 1/25/2018 12:20 PM, Jamil Nimeh wrote:
Wrap and Unwrap: I have not been able to find a standardized
wrap/unwrap format for ChaCha20 similar to RFC 3394 for AES. Right
now the wrap() and unwrap() methods just take the encoding of the key
to be wrapped and encrypts or decrypts them respectively. If anyone
is aware of a wrapping format for ChaCha20 please let me know. My
searches have so far come up empty.
I haven't found any standards for key wrap with ChaCha20, either.
Until these standards are developed, I think the implementation should
throw an exception when wrap/unwrap is requested.
The problems with simply encrypting are:
* No integrity protection in bare ChaCha20
* Need to generate a random nonce on wrap---this violates common
expectations about key wrap algorithms
* Not standard, so there is potential for confusion about what the key
wrap algorithm is actually doing
Yeah, that makes sense to me. Unless we find that there is some
standardized format for wrap/unwrap I'll have it throw
UnsupportedOperationException.
--Jamil
