Nonce header/Xsalsa20

cryptotuke · April 30, 2020, 12:32pm

Good day. I want to ask why 24 bytes Nonce (IV) is used in header when the Xsalsa20 cipher works with 192bytes Nonce. What is the difference between them?

lithium0003 · April 30, 2020, 6:14pm

This source may help you:

github.com

golang/crypto/blob/master/nacl/secretbox/secretbox.go

// Copyright 2012 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

/*
Package secretbox encrypts and authenticates small messages.

Secretbox uses XSalsa20 and Poly1305 to encrypt and authenticate messages with
secret-key cryptography. The length of messages is not hidden.

It is the caller's responsibility to ensure the uniqueness of nonces—for
example, by using nonce 1 for the first message, nonce 2 for the second
message, etc. Nonces are long enough that randomly generated nonces have
negligible risk of collision.

Messages should be small because:

1. The whole message needs to be held in memory to be processed.

2. Using large messages pressures implementations on small machines to decrypt

This file has been truncated. show original

Basically, nonce copy to two parts, first 16 bytes are used sub-key generation and followed 8 bytes are counter fixed bytes.

cryptotuke · April 30, 2020, 6:43pm

I want to ask you, I don't know if I understand it correctly, but for the code you did crypt_rclone and the user enters a password (or salt) and a hash scrypt function creates a string called a key, where the key represents the input key and also the input is a nonce, block counter and Salsa20 consensus depending on the size of the key.

lithium0003 · May 1, 2020, 6:18am

crypt_rclone uses nacl/secretbox as a black box, it needs message bytes, key bytes(32bytes), nonce bytes(24bytes). User defined password/salt(password2) make key bytes. The nonce bytes are generated randomly on encryption and saved in header.

In the secretbox, provided key bytes(32bytes) and nonce bytes(24bytes) are used sub-key generation which used real encryption.
In this part, nonce bytes are separated first 16 bytes and followed 8 bytes, first one used sub-key generation random part and second one used as 'counter' fixed part.

cryptotuke · May 1, 2020, 8:06am

Well thank you I understand. You write that crypt_rclone uses nacl / secretbox as a black box and I know that black box works without any knowledge of its internal workings. Its implementation is "opaque" (black). But I would like to take a closer look inside. Can you send me some explanatory links or would you be able to describe it in your own words? I took a closer look at how Salsa20 and Poly1305 work but I don't understand how Salsa20 is connected to the scrypt Password-Based Key Derivation Function

ncw · May 1, 2020, 3:56pm

Actually the nonce for Xsalsa20 is 192 bits which is exactly 24 bytes.

cryptotuke · May 1, 2020, 4:48pm

Yes I already understood that nonce thank you.