Hazmat with ChaCha/Poly1305Chacha20 is a stream cipher which uses a 256-bit key and a 96-bit nonce. Currently AES has a virtual monopoly on secret key encryption. There would be major problems, though, if this was cracked. Along with this AES has been shown to be weak around cache-collision attacks. Google thus propose ChaCha20 as an alternative, and actively use it within TLS connections. Currently it is three times faster than software-enabled AES, and is not sensitive to timing attacks. It operates by creating a key stream which is then X-ORed with the plaintext. It has been standardised with RFC 7539. In this case we will use AEAD and where we can add an additional data element to the cipher, in order to authenticate the cipher. This data might relate to the network port number we are sending, or to the sequence number of an encrypted data packet. Poly1305 is a message authentication code for data integrity and message authenticity of a message. It is standardized in RFC 8439. |
Code
Hazmat supports core cryptographical primitives for HOTP:
import os from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 import sys import binascii msg = "a message" add = "additional data" if (len(sys.argv)>1): msg=str(sys.argv[1]) if (len(sys.argv)>2): add=str(sys.argv[2]) print ("Data:\t",msg) print ("Additional data:\t",add) key = ChaCha20Poly1305.generate_key() chacha = ChaCha20Poly1305(key) nonce = os.urandom(12) cipher = chacha.encrypt(nonce, msg.encode(), add.encode()) rtn=chacha.decrypt(nonce, cipher, add.encode()) print ("\nKey:\t",binascii.b2a_hex(key).decode()) print ("Nonce:\t",binascii.b2a_hex(nonce).decode()) print ("\nCipher:\t",binascii.b2a_hex(cipher).decode()) print ("Decrypted:\t",rtn.decode())
A sample run is:
Data: testing 123 Additional data: additional data123 Key: c6aa8c0f6066f7aac58821b3a8530d4e7714d6fa8ec94f83b9f48dc8a0c188f2 Nonce: 6afed63c1301c50798719c91 Cipher: 541ed825f38b10c341dd477a78288f88126c1f7917667572a6f106 Decrypted: testing 123