JDK-8184357 : Test Plan for ChaCha20 and Poly1305 algorithms
  • Type: JEP Task
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Fix Versions: 11
  • Submitted: 2017-07-13
  • Updated: 2018-05-11
  • Resolved: 2018-05-11
Related Reports
Blocks :  
Blocks :  
Blocks :  
Blocks :  
Blocks :  
Blocks :  
Blocks :  
Relates :  
Sub Tasks
JDK-8199292 :  
JDK-8199293 :  
JDK-8199294 :  
JDK-8199296 :  
JDK-8199297 :  
Description
## Summary
ChaCha20 is a high-speed stream cipher, and poly1305 is a high-speed message authentication code. While ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) cipher.

JEP [JDK-8153028](https://bugs.openjdk.java.net/browse/JDK-8153028) will implement ciphers ChaCha20 and ChaCha20-Poly1305. It also provides a new key generator implementation on ChaCha20.

## KAT Testing
RFC7539 [section 2.4.2](https://tools.ietf.org/html/rfc7539#section-2.4.2) gives some examples and test vectors for the ChaCha20 Cipher.
And [section 2.5.2](https://tools.ietf.org/html/rfc7539#section-2.5.2) gives some examples and test vectors for the ChaCha20-Poly1305 Cipher. They can be used for KAT testing.

## Interoperability Testing
The latest Bouncy Castle versions have supported ChaCha20 and ChaCha20-Poly1305 ciphers, and especially it has a pure java implementation, so it can take an Interoperability testing with this 3rd-party library.

There is an existing interoperability test on Bouncy Castle: [closed/security/infra/javax/crypto/Cipher/BouncyCastleInterop.java](https://java.se.oracle.com/source/xref/jdk9-dev/jdk/test/closed/security/infra/javax/crypto/Cipher/BouncyCastleInterop.java). It's better to refactor it for adding more test cases. It should allow to receive different transformations. It also should support testing AEAD ciphers.

## Key Generation
The new key generator implementation on ChaCha20 doesn't introduce new or modify existing public API. The following is a usage example:
```
KeyGenerator kg = KeyGenerator.getInstance(���ChaCha20���);
kg.init(256);
SecretKey key = kg.generateKey();
```
The key size must be 256, otherwise InvalidParameterException will raise.

## ChaCha20ParameterSpec
javax.crypto.spec.ChaCha20ParameterSpec is a new introduced implementation on AlgorithmParameterSpec, and it is the only change on public API. It holds nonce and initial block counter for ChaCha20 cipher. Especially, the nonce size must be 96-bit. While block counter has no restricted.
Comments
According to the section "Non-Goals" in JEP JDK-8153028, no cipher suite will be implemented, so just removed all of cipher suite associated items from this test plan.
07-03-2018

RFC7905 defines the following ciphers: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xA8} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xA9} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xAA} TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xAB} TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xAC} TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xAD} TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xCC, 0xAE} Please indicate exactly what ciphers will be supported and which .not. will be supported.
08-08-2017