refactor: smp encryption switch to xchacha20poly1305

Author: chadsec1

core/constants.py

@@ -12,7 +12,7 @@
 # crypto parameters (bytes)
 CHALLENGE_LEN     = 11264
 
-CHACHA20POLY1305_NONCE_LEN = 12
+XCHACHA20POLY1305_NONCE_LEN = 24
 
 OTP_PAD_SIZE       = 11264
 OTP_PADDING_LENGTH = 2
@@ -71,5 +71,5 @@
 ARGON2_MEMORY      = 256 * 1024   # MB
 ARGON2_ITERS       = 3
 ARGON2_OUTPUT_LEN  = 32           # bytes
-ARGON2_SALT_LEN    = 32           # bytes
+ARGON2_SALT_LEN    = 16           # bytes (Must be always 16 for interoperability with libsodium.)
 ARGON2_LANES       = 4

core/trad_crypto.py

@@ -8,13 +8,10 @@
 These functions rely on the cryptography library and are intended for use within Coldwire's higher-level protocol logic.
 """
 
-from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305
-from cryptography.hazmat.primitives.kdf.argon2 import Argon2id
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from nacl import pwhash, bindings
 from core.constants import (
     OTP_PAD_SIZE,
-    CHACHA20POLY1305_NONCE_LEN,
+    XCHACHA20POLY1305_NONCE_LEN,
     ARGON2_ITERS,
     ARGON2_MEMORY,
     ARGON2_LANES,
@@ -41,15 +38,7 @@ def sha3_512(data: bytes) -> bytes:
     return h.digest()
 
 
-def hkdf(key: bytes, length: int = 32, salt: bytes = None, info: bytes = None) -> bytes:
-    return HKDF(
-        algorithm = hashes.SHA3_256(),
-        length = length,
-        salt = salt,
-        info = info,
-    ).derive(key)
-
-def derive_key_argon2id(password: bytes, salt: bytes = None, salt_length: int = ARGON2_SALT_LEN, output_length: int = ARGON2_OUTPUT_LEN) -> tuple[bytes, bytes]:
+def derive_key_argon2id(password: bytes, salt: bytes = None, output_length: int = ARGON2_OUTPUT_LEN) -> tuple[bytes, bytes]:
     """
     Derive a symmetric key from a password using Argon2id.
 
@@ -67,20 +56,18 @@ def derive_key_argon2id(password: bytes, salt: bytes = None, salt_length: int =
         - salt: The salt used for derivation.
     """
     if salt is None:
-        salt = secrets.token_bytes(salt_length)
+        salt = secrets.token_bytes(ARGON2_SALT_LEN)
 
-    kdf = Argon2id(
-        salt=salt,
-        iterations=ARGON2_ITERS,
-        memory_cost=ARGON2_MEMORY,
-        length=output_length,
-        lanes=ARGON2_LANES
-    )
-    derived_key = kdf.derive(password)
-    return derived_key, salt
+    return pwhash.argon2id.kdf(
+        output_length, 
+        password,
+        salt,
+        opslimit = ARGON2_ITERS,
+        memlimit = ARGON2_MEMORY
+    ), salt
 
 
-def encrypt_chacha20poly1305(key: bytes, plaintext: bytes, counter: int = None, counter_safety: int = 2 ** 32) -> tuple[bytes, bytes]:
+def encrypt_xchacha20poly1305(key: bytes, plaintext: bytes, counter: int = None, counter_safety: int = 2 ** 32) -> tuple[bytes, bytes]:
     """
     Encrypt plaintext using ChaCha20Poly1305.
 
@@ -96,19 +83,19 @@ def encrypt_chacha20poly1305(key: bytes, plaintext: bytes, counter: int = None,
         - nonce: The randomly generated AES-GCM nonce.
         - ciphertext: The encrypted data including the authentication tag.
     """
-    nonce = secrets.token_bytes(CHACHA20POLY1305_NONCE_LEN)
+    nonce = secrets.token_bytes(XCHACHA20POLY1305_NONCE_LEN)
     if counter is not None:
         if counter > counter_safety:
             raise ValueError("ChaCha counter has overflowen")
 
-        nonce = nonce[:CHACHA20POLY1305_NONCE_LEN - 4] + counter.to_bytes(4, "big")
+        nonce = nonce[:XCHACHA20POLY1305_NONCE_LEN - 4] + counter.to_bytes(4, "big")
+
+    ciphertext = bindings.crypto_aead_xchacha20poly1305_ietf_encrypt(plaintext, None, nonce, key) 
 
-    chacha = ChaCha20Poly1305(key)
-    ciphertext = chacha.encrypt(nonce, plaintext, None)
     return nonce, ciphertext
 
 
-def decrypt_chacha20poly1305(key: bytes, nonce: bytes, ciphertext: bytes) -> bytes:
+def decrypt_xchacha20poly1305(key: bytes, nonce: bytes, ciphertext: bytes) -> bytes:
     """
     Decrypt ciphertext using ChaCha20Poly1305.
 
@@ -122,7 +109,7 @@ def decrypt_chacha20poly1305(key: bytes, nonce: bytes, ciphertext: bytes) -> byt
     Returns:
         The decrypted plaintext bytes.
     """
-    chacha = ChaCha20Poly1305(key)
-    return chacha.decrypt(nonce, ciphertext, None)
+
+    return bindings.crypto_aead_xchacha20poly1305_ietf_decrypt(ciphertext, None, nonce, key)
 
 

logic/smp.py

@@ -46,20 +46,20 @@
 from core.trad_crypto import (
         derive_key_argon2id, 
         sha3_512,
-        hkdf,
-        encrypt_chacha20poly1305,
-        decrypt_chacha20poly1305
+        encrypt_xchacha20poly1305,
+        decrypt_xchacha20poly1305
 )
 from base64 import b64encode, b64decode
 from core.constants import (
         SMP_NONCE_LENGTH,
         SMP_PROOF_LENGTH,
         SMP_QUESTION_MAX_LEN,
         SMP_ANSWER_OUTPUT_LEN,
+        ARGON2_SALT_LEN,
         ML_KEM_1024_NAME,
         ML_KEM_1024_CT_LEN,
         ML_DSA_87_PK_LEN,
-        CHACHA20POLY1305_NONCE_LEN
+        XCHACHA20POLY1305_NONCE_LEN
 )
 import hashlib
 import secrets
@@ -134,13 +134,9 @@ def smp_step_2(user_data: dict, user_data_lock, contact_id: str, message: dict,
     our_nonce = secrets.token_bytes(SMP_NONCE_LENGTH)
 
     key_ciphertext, chacha_key = encap_shared_secret(contact_kem_public_key, ML_KEM_1024_NAME)
-    chacha_key = hkdf(
-            chacha_key, 
-            salt = contact_id.encode("utf-8") + our_id.encode("utf-8"), 
-            info = b"Coldwire SMP encryption ChaCha20 key"
-        )
+    chacha_key = sha3_512(chacha_key)[:32]
 
-    ciphertext_nonce, ciphertext_blob = encrypt_chacha20poly1305(
+    ciphertext_nonce, ciphertext_blob = encrypt_xchacha20poly1305(
             chacha_key, 
             signing_public_key + our_nonce, 
             counter = 2
@@ -187,19 +183,14 @@ def smp_step_3(user_data: dict, user_data_lock: threading.Lock, contact_id: str,
     ciphertext_blob = b64decode(message["ciphertext_blob"], validate = True)
     key_ciphertext = ciphertext_blob[:ML_KEM_1024_CT_LEN]
 
-    print(len(our_kem_private_key))
     chacha_key = decap_shared_secret(key_ciphertext, our_kem_private_key, ML_KEM_1024_NAME)
 
-    chacha_key = hkdf(
-            chacha_key, 
-            salt = our_id.encode("utf-8") + contact_id.encode("utf-8"), 
-            info = b"Coldwire SMP encryption ChaCha20 key"
-        )
+    chacha_key = sha3_512(chacha_key)[:32]
 
-    smp_plaintext = decrypt_chacha20poly1305(
+    smp_plaintext = decrypt_xchacha20poly1305(
             chacha_key, 
-            ciphertext_blob[ML_KEM_1024_CT_LEN : ML_KEM_1024_CT_LEN + CHACHA20POLY1305_NONCE_LEN],
-            ciphertext_blob[ML_KEM_1024_CT_LEN + CHACHA20POLY1305_NONCE_LEN:]
+            ciphertext_blob[ML_KEM_1024_CT_LEN : ML_KEM_1024_CT_LEN + XCHACHA20POLY1305_NONCE_LEN],
+            ciphertext_blob[ML_KEM_1024_CT_LEN + XCHACHA20POLY1305_NONCE_LEN:]
         )
 
     contact_signing_public_key = smp_plaintext[:ML_DSA_87_PK_LEN]
@@ -212,7 +203,7 @@ def smp_step_3(user_data: dict, user_data_lock: threading.Lock, contact_id: str,
     contact_key_fingerprint = sha3_512(contact_signing_public_key)
 
     # Derieve a high-entropy secret key from the low-entropy answer
-    argon2id_salt = sha3_512(contact_nonce + our_nonce)
+    argon2id_salt = sha3_512(contact_nonce + our_nonce)[:ARGON2_SALT_LEN]
     answer_secret, _ = derive_key_argon2id(answer.encode("utf-8"), salt = argon2id_salt, output_length = SMP_ANSWER_OUTPUT_LEN)
 
     # Compute our proof
@@ -221,7 +212,7 @@ def smp_step_3(user_data: dict, user_data_lock: threading.Lock, contact_id: str,
 
     logger.debug("Our proof of contact (%s) public-key fingerprint: %s", contact_id, our_proof)
 
-    ciphertext_nonce, ciphertext_blob = encrypt_chacha20poly1305(
+    ciphertext_nonce, ciphertext_blob = encrypt_xchacha20poly1305(
             chacha_key, 
             signing_public_key + our_nonce + our_proof + question.encode("utf-8"), 
             counter = 3
@@ -259,7 +250,7 @@ def smp_step_4_request_answer(user_data, user_data_lock, contact_id, message, ui
         tmp_key = b64decode(user_data["contacts"][contact_id]["lt_sign_key_smp"]["tmp_key"])
 
     ciphertext_blob = b64decode(message["ciphertext_blob"], validate = True)
-    smp_plaintext = decrypt_chacha20poly1305(tmp_key, ciphertext_blob[:CHACHA20POLY1305_NONCE_LEN], ciphertext_blob[CHACHA20POLY1305_NONCE_LEN:])
+    smp_plaintext = decrypt_xchacha20poly1305(tmp_key, ciphertext_blob[:XCHACHA20POLY1305_NONCE_LEN], ciphertext_blob[XCHACHA20POLY1305_NONCE_LEN:])
 
     contact_signing_public_key = smp_plaintext[:ML_DSA_87_PK_LEN]
     contact_nonce = b64encode(smp_plaintext[ML_DSA_87_PK_LEN : SMP_NONCE_LENGTH + ML_DSA_87_PK_LEN]).decode()
@@ -306,7 +297,7 @@ def smp_step_4_answer_provided(user_data, user_data_lock, contact_id, answer, ui
     our_key_fingerprint = sha3_512(our_signing_public_key)
 
     # Derieve a high-entropy secret key from the low-entropy answer
-    argon2id_salt = sha3_512(our_nonce + contact_nonce)
+    argon2id_salt = sha3_512(our_nonce + contact_nonce)[:ARGON2_SALT_LEN]
     answer_secret, _ = derive_key_argon2id(answer.encode("utf-8"), salt = argon2id_salt, output_length = SMP_ANSWER_OUTPUT_LEN)
 
     # Compute our proof
@@ -330,7 +321,7 @@ def smp_step_4_answer_provided(user_data, user_data_lock, contact_id, answer, ui
     our_proof = contact_nonce + our_nonce + contact_key_fingerprint
     our_proof = hmac.new(answer_secret, our_proof, hashlib.sha3_512).digest()
 
-    ciphertext_nonce, ciphertext_blob = encrypt_chacha20poly1305(
+    ciphertext_nonce, ciphertext_blob = encrypt_xchacha20poly1305(
             tmp_key, 
             our_proof, 
             counter = 4
@@ -377,15 +368,15 @@ def smp_step_5(user_data, user_data_lock, contact_id, message, ui_queue) -> None
     our_key_fingerprint = sha3_512(our_signing_public_key + our_kem_public_key)
 
     # Derieve a high-entropy secret key from the low-entropy answer
-    argon2id_salt = sha3_512(contact_nonce + our_nonce)
+    argon2id_salt = sha3_512(contact_nonce + our_nonce)[:ARGON2_SALT_LEN]
     answer_secret, _ = derive_key_argon2id(answer.encode("utf-8"), salt = argon2id_salt, output_length = SMP_ANSWER_OUTPUT_LEN)
 
     # Compute the proof
     our_proof = our_nonce + contact_nonce + our_key_fingerprint
     our_proof = hmac.new(answer_secret, our_proof, hashlib.sha3_512).digest()
 
     ciphertext_blob = b64decode(message["ciphertext_blob"], validate = True)
-    contact_proof = decrypt_chacha20poly1305(tmp_key, ciphertext_blob[:CHACHA20POLY1305_NONCE_LEN], ciphertext_blob[CHACHA20POLY1305_NONCE_LEN:])
+    contact_proof = decrypt_xchacha20poly1305(tmp_key, ciphertext_blob[:XCHACHA20POLY1305_NONCE_LEN], ciphertext_blob[XCHACHA20POLY1305_NONCE_LEN:])
 
 
     logger.debug("SMP Proof sent to us: %s", contact_proof)

logic/storage.py

@@ -3,7 +3,8 @@
 from core.constants import (
         ML_KEM_1024_NAME,
         CLASSIC_MCELIECE_8_F_NAME,
-        ACCOUNT_FILE_PATH
+        ACCOUNT_FILE_PATH,
+        ARGON2_SALT_LEN
 
 )
 import core.trad_crypto as crypto
@@ -29,11 +30,11 @@ def load_account_data(password = None) -> dict:
 
             # first 12 bytes is nonce, and last 32 bytes is the password salt, 
             # and the ciphertext is inbetween.
-            password_kdf, _ = crypto.derive_key_argon2id(password.encode(), salt=blob[-32:])
+            password_kdf, _ = crypto.derive_key_argon2id(password.encode(), salt=blob[-ARGON2_SALT_LEN:])
 
-            blob = blob[:-32]
+            blob = blob[:-ARGON2_SALT_LEN]
 
-            user_data = json.loads(crypto.decrypt_chacha20poly1305(password_kdf, blob[:12], blob[12:]))
+            user_data = json.loads(crypto.decrypt_xchacha20poly1305(password_kdf, blob[:12], blob[12:]))
 
 
 
@@ -195,7 +196,7 @@ def save_account_data(user_data: dict, user_data_lock, password = None) -> None:
         password_kdf, password_salt = crypto.derive_key_argon2id(password.encode())
 
 
-        nonce, ciphertext = crypto.encrypt_chacha20poly1305(password_kdf, json.dumps(user_data).encode("utf-8"))
+        nonce, ciphertext = crypto.encrypt_xchacha20poly1305(password_kdf, json.dumps(user_data).encode("utf-8"))
         with open(ACCOUNT_FILE_PATH, "wb") as f:
             f.write(nonce + ciphertext + password_salt)