What it means in practice: "The nonce MUST NOT be repeated or reused with the same key"

[igorgomeslima]

Hello @samuel-lucas6,

I'm try using the XChaCha20-Poly1305 "Authenticated encription", and I little bit confused when read:

The nonce MUST NOT be repeated or reused with the same key. You MUST increment or randomly generate the nonce for each plaintext message encrypted using the same key.

In my scenario I need to encrypt some data and decrypt this data in another moment, like an Token:

>. Request: `my-web-api/token/generate`
>. Response: Some `ciphertext` generated by `ChaCha20Poly1305` in `Base64` format.

But when I tried to use the recommended practices in nouce value(increment or randomly generate) I can't Decrypt data(CryptographicException). In my thinking I need the suitable nounce to do the correct data decryption, but, how will I know the appropriate one, if I generated/incremented the value? I need always extern/public the nounce I used? Like:

>. Request: `my-web-api/token/generate`
>. Response: Some `ciphertext` generated by `ChaCha20Poly1305` in `Base64` format + `nonce`.

Some foo code example:

internal static class Test
{
    private static byte[] Nonce = Convert.FromHexString("215959617100886281727885");
    private static byte[] Key = Convert.FromHexString("774589338485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f");
    private static byte[] AssociatedData = Convert.FromHexString("41534431323333343534");
    
    public static Span<byte> Encrypt(byte[] plainText)
    {
        ConstantTime.Increment(Nonce);

        Span<byte> cipherText = new byte[plainText.Length + ChaCha20Poly1305.TagSize];

        ChaCha20Poly1305.Encrypt(ciphertext, plainText, Nonce, Key, AssociatedData);
        
        return cipherText;
    }

    public static Span<byte> Decrypt(Span<byte> cipherText)
    {
        try
        {
            //ConstantTime.Increment(Nonce);

            Span<byte> plainText = new byte[cipherText.Length - ChaCha20Poly1305.TagSize];

            ChaCha20Poly1305.Decrypt(plainText, cipherText, Nonce, Key, AssociatedData);

            return plainText;
        }
        catch (CryptographicException e)
        {
            Console.WriteLine(e);
            throw;
        }
    }
}

What would be the proper way to deal with this scenario?

Cheers! 😁

[samuel-lucas6]

For encryption, the nonce must be incremented or randomly generated with the same key. If you change the key each time you call Encrypt(), it's acceptable to use the same nonce (e.g. a counter starting at 0).

If the nonce is a counter, you know it always starts at 0, so it doesn't need to be stored. However, if it's randomly generated, you should prepend it to the ciphertext using Spans.Concat(nonceAndCiphertext, nonce, ciphertext).

If you can maintain a counter, you can randomly generate the first nonce and then increment it each time. This means you only need to store the random nonce and not the incremented ones.

For decryption, you need to specify the same inputs as those used for encryption otherwise you'll get an error. If the nonce is prepended to the ciphertext, you just slice it off and decrypt the ciphertext without the nonce.

Hope that helps! I'll try and clarify it in the documentation.

[igorgomeslima]

Thank's @samuel-lucas6, it's more clarify now!

[ektrah]

related discussion