I believe DTLS is wrong. ChaCha20 is little-endian with the counter going first and the nonce afterwards. See also RFC 8439, section 2.3, where the block count is placed before the nonce. https://tools.ietf.org/html/rfc8439#section-2.3
(Well, "wrong". Both are perfectly well-defined, but the DTLS construction results in swapping parts of the sample, which is silly.) On Wed, Nov 6, 2019 at 7:09 PM Martin Thomson <[email protected]> wrote: > It was pointed out to me that the header protection in QUIC and DTLS 1.3 > are different in a non-useful way: > > https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#hp-chacha says > that the first 4 bytes of the sample are the counter, i.e., `counter[4] || > nonce[12]`. DTLS 1.3 says that the last four are, i.e., `nonce[12] || > counter[4]`. > > This seems like a pointless difference that will only cause pain. I > suspect that the right answer is that QUIC is wrong here, but I want to > highlight this issue and want to ensure that this doesn't get baked in > before we resolve it. > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
