> 1. Generate an ephemeral 256-bit Curve25519 key pair.
> 2. Perform a Curve25519 Diffie-Hellman key exchange with the master key to produce a shared secret.
> 3. SHA-256 hash the shared secret to generate a 64-bit IV.
> 4. Add the format number to the first byte of the IV.
> 5. Initialize ChaCha20 with the shared secret as the key.
> 6. Write the 8-byte IV.
> 7. Write the 32-byte ephemeral public key.
> 8. Encrypt the file with ChaCha20 and write the ciphertext.
> 9. Write HMAC(key, plaintext).
A lot of steps involving low-level crypto, which means making an error is easy... ah, yes, there is one actually, right at the end
What the steps should look like:
> 1. Generate a box ephemeral key using crypto_box_keypair
> 2. Encrypt and authenticate with the ephemeral key as sender and the master key as receiver using crypto_box
> 3. There is no step 3
tptacek once said "If you're writing the letters A, E and S, you're doing it wrong". It doesn't mean you shouldn't use AES; it means you shouldn't use low-level cryptography and use high-level, hard-to-misuse libraries. Use NaCl !
If you are creating a reusable tool, you do really not want to specify it in terms of high level operations that depend on a single library and may change from one version to another.
Just because those steps are explicit there, it does not mean the author isn't using crypto_box or something similar. The author seems to have just copied it into the code, and seems to have a good sense of what to copy.
You can criticize him for not reusing the standard interface, and I agree that if he wanted to use crypto_box, he should just have used it, but not for completely specifying his tool, and not for the actual operations.
> The process for encrypting a file:
> 1. Generate an ephemeral 256-bit Curve25519 key pair.
> 2. Perform a Curve25519 Diffie-Hellman key exchange with the master key to produce a shared secret.
> 3. SHA-256 hash the shared secret to generate a 64-bit IV.
> 4. Add the format number to the first byte of the IV.
> 5. Initialize ChaCha20 with the shared secret as the key.
> 6. Write the 8-byte IV.
> 7. Write the 32-byte ephemeral public key.
> 8. Encrypt the file with ChaCha20 and write the ciphertext.
> 9. Write HMAC(key, plaintext).
A lot of steps involving low-level crypto, which means making an error is easy... ah, yes, there is one actually, right at the end
What the steps should look like:
> 1. Generate a box ephemeral key using crypto_box_keypair
> 2. Encrypt and authenticate with the ephemeral key as sender and the master key as receiver using crypto_box
> 3. There is no step 3
tptacek once said "If you're writing the letters A, E and S, you're doing it wrong". It doesn't mean you shouldn't use AES; it means you shouldn't use low-level cryptography and use high-level, hard-to-misuse libraries. Use NaCl !