Review of draft-ietf-curdle-cms-chacha20-poly1305-04

Yoav Nir <> Sun, 11 December 2016 13:14 UTC

Return-Path: <>
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 3E8DB12968E; Sun, 11 Dec 2016 05:14:19 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yoav Nir <>
To: <>
Subject: Review of draft-ietf-curdle-cms-chacha20-poly1305-04
X-Test-IDTracker: no
X-IETF-IDTracker: 6.39.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <>
Date: Sun, 11 Dec 2016 05:14:19 -0800
Archived-At: <>
X-Mailman-Version: 2.1.17
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Dec 2016 13:14:19 -0000

Reviewer: Yoav Nir
Review result: Has Nits


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: Ready with nits.

   ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit
   and a 96-bit nonce.  ChaCha20 is described in [FORIETF].

ChaCha20 is described in DJB's paper. RFC 7539 just repeats the
definition with more detail, examples and test vectors. Same for
Poly1305 in the next paragraph.

Section 3 describes how to use AEAD_CHACHA20_POLY1305 with
AuthEnvelopedData. The algorithm, as stated in section 1.1 has four
inputs: a 256-bit key, a 96-bit nonce, an arbitrary length plaintext,
and an arbitrary length additional authenticated data (AAD). The key
is generated by one of the methods in section 2 (Key Management); the
nonce is generated by the sender. The text requires that it be unique,
but does not mandate of suggest a way of doing this. This is fine. The
plaintext according to section 3 is "the content located in the
AuthEnvelopedData EncryptedContentInfo encryptedContent field". and
the tag is stored in the AuthEnvelopedData mac field.

What's missing is the AAD. I could not find what goes into the AAD.
This is described in section 2.2 of RFC 5083, but it should be either
repeated here or referenced. It's jarring that the other inputs are
described while this one is omitted.

The Security Considerations section seems fine.