-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
low
-
If consumers of the API depend on decrypt mode ciphers throwing InvalidKeyException in order to implement workarounds to reuse the key and nonce this change may cause issues. This however is a highly unlikely case to see in the field.
-
Implementation
Summary
This change will alter the initialization behavior for the SunJCE ChaCha20 and ChaCha20-Poly1305 implementations to match that of AES-GCM. It will allow key/nonce reuse when in DECRYPT_MODE where it did not previously.
Problem
AEAD-based ciphers do not allow key and nonce reuse for encryption with different plaintext inputs as it creates a situation where data can be compromised. Key/nonce reuse for decryption is not a problem since the result is the plaintext. Key and nonce reuse for decryption can be helpful in cases where a user may need to decrypt data using the same key and nonce a second time. Currently AES-GCM allows key/nonce reuse for decryption, but ChaCha20 and ChaCha20-Poly1305 do not. The latter two ciphers should conform to the AES-GCM behavior.
Solution
Allow the ChaCha20 and ChaCha20-Poly1305 cipher instances to reuse the key and nonce when in DECRYPT_MODE:
- The cipher will return to its previously initialized state following a
doFinalcall. - The cipher may perform two
doFinaloperations using the same key and nonce without an interveninginitcall. - The cipher may re-initialize itself with the same key and nonce without throwing an
InvalidKeyException
These allowances do not extend to ENCRYPT_MODE ChaCha20 or ChaCha20-Poly1305 SunJCE Cipher instances. The key/nonce reuse prohibitions in encrypt mode remain unchanged from their current behavior.
Specification
There are no specification changes.
- csr of
-
JDK-8305091 Change ChaCha20 cipher init behavior to match AES-GCM
-
- Closed
-