Support for AES-GCM in alternative to ChaCha20-Poly1305

[toby-jn]

An issue holding back our adoption of age is the use of ChaCha20-Poly1305 (this is an issue for customers who are particularly opinionated about the algorithms used, e.g. federal, banks etc.).

I noticed in the spec document there is an bullet point under the future work section for:

Support for AES-GCM in alternative to ChaCha20-Poly1305

However this has been struck through (which I assume is implying this is no longer road-mapped).

I have prepared a local fork of age which simply switches out the cipher (although this is obviously incompatible) which works well and was a relatively small change to make.

Is there a reason this support is no longer planned? Obviously I'd rather not maintain a fork of a thing that doesn't comply with the spec, but similarly if there's no upstream interest in supporting both algorithms, then I guess we'll just keep this.

[covert-encryption]

Even though libsodium implements AES-GCM, it only does that when the CPU has hardware support for it, and the AES functions are not exposed at all in many of the bindings, e.g. pynacl. Thus, it can be difficult for implementations to support it.

The whole world is moving over to ChaCha20-Poly1305, which is approved by IETF and NIST and used in TLS, so what you really should be doing is educating your customers. In absence of hardware acceleration AES suffers of side-channel attacks and slow performance. Even with AES hardware acceleration, ChaCha20 runs just as fast using software only.

[toby-jn]

Ok thanks for the detailed (and very quick!) response, I suspected this would be the answer, and for what it's worth I completely agree with the decisions made by this tool... indeed customer education is the right way here.. though I suspect at least for the short term, we'll be using our custom "age-like" protocol 😞

[FiloSottile]

There are no plans at this time. It is somewhat unlikely that an entity with opinions about AES vs ChaCha20 will be ok with X25519, too, so a "checks the boxes" version would need more changes, too.

Of course, forks are fine! Pretty please change the version line in the header, though :)

[kubrickfr]

Hi @FiloSottile ,
For my own education, and likely lack of imagination, how are side-channel attacks a concern in a non interactive context? The puropose of age is to encrypt files from the command line.