Using the same key for the Secret Box and Secret Stream

[wodny]

Hi,

I am using libsodium via pynacl to create something similar to saltpack. I create an encrypted and authenticated manifest with the Box class which uses crypto_box_afternm() for encryption using a key generated like this:

    self._shared_key = nacl.bindings.crypto_box_beforenm(
        public_key.encode(encoder=encoding.RawEncoder),
        private_key.encode(encoder=encoding.RawEncoder),
    )

which uses:

• crypto_box_curve25519xsalsa20poly1305_beforenm()
• crypto_scalarmult_curve25519()
• crypto_core_hsalsa20()

Then the manifest contains random symmetric keys generated using crypto_secretstream_xchacha20poly1305_keygen(). Every huge file associated with the manifest is encrypted as a stream of 1MB blobs produced by crypto_secretstream_xchacha20poly1305*() functions.

I was wondering if it would be safe to use the self._shared_key key of the Box for the blobs as well. I didn't do it because I was afraid that, even if not today, the Box itself could use the key with the same initial parameters as I did for my blobs and would eg. use a nonce twice. But maybe it would be safe to use the shared key for the Box but a key/keys derived with some kind of a KDF for the blobs? Or should there be a master key from which by KDF I generate encryption keys for both the Box and the blobs?

[jedisct1]

crypto_box_beforenm returns a value that can later be used with crypto_box_afternm. However, that return value is meant to be treated as opaque.

Semantically, using it for anything else is unexpected. I must admit, I had to check the source code myself to confirm that it's currently just the 32-byte shared key. Although it's unlikely to change, you shouldn't rely on that detail. For instance, beforenm could eventually skip the hashing step, leaving it to afternm instead. Again, this is unlikely, but possible.

For key exchange, it's better to use the dedicated API: crypto_kx. It has the added benefit of producing two separate keys, one for each direction.

That said, using the same key for both box and secretstream is usually fine. As long as crypto_box nonces are chosen randomly and not influenced by an attacker, the risk of a collision is extremely low due to the vast nonce space.

[wodny]

Great, thanks.

BTW, is the mailing list at pureftpd.org alive or is the GitHub discussions the preferred channel?

[jedisct1]

It should be alive, but GitHub discussions are more convenient :)