On 1/25/2018 12:20 PM, Jamil Nimeh wrote:
Wrap and Unwrap: I have not been able to find a standardized
wrap/unwrap format for ChaCha20 similar to RFC 3394 for AES. Right now
the wrap() and unwrap() methods just take the encoding of the key to
be wrapped and encrypts or decrypts them respectively. If anyone is
aware of a wrapping format for ChaCha20 please let me know. My
searches have so far come up empty.
I haven't found any standards for key wrap with ChaCha20, either. Until
these standards are developed, I think the implementation should throw
an exception when wrap/unwrap is requested.
The problems with simply encrypting are:
* No integrity protection in bare ChaCha20
* Need to generate a random nonce on wrap---this violates common
expectations about key wrap algorithms
* Not standard, so there is potential for confusion about what the key
wrap algorithm is actually doing
