Replies: 1 comment
-
Also a small note on supporting multiple ciphersuites: It's not a lot of engineering work to make rs-wnfs work with different cryptographic algorithms. Creating the PR to switch to XChaCha was merely an hour of work, and adding support for specifying the ciphersuite would not be much harder. Multiple ciphersuites additionally to a protocol version is what most protocols end up going for, including e.g. TLS and MLS. However, going overboard can quickly lead to cryptographic agility. |
Beta Was this translation helpful? Give feedback.
-
We recently decided to switch the main encryption algorithm from AES-GCM to XChaCha20-Poly1305. The main advantage of XChaCha is the extended nonce: It allows us to generate random nonces without ever worrying about an accidental nonce reuse. In general XChaCha is a good choice for an encryption algorithm, it's part of libsodium, has been the recommendation (also this) from cryptographers and the non-extended nonce variant is part of the TLS 1.3 ciphersuite.
However, one disadvantage is that AES-GCM is FIPS-approved, while no ChaCha variants are (yet? At the moment?).
I'd love to hear from anyone's thoughts on whether FIPS-approval is a prerequisite for their use case and how so.
Beta Was this translation helpful? Give feedback.
All reactions