4

I happen to recall that CHACHA20 ciphers are not compliant with both NIST guidelines and FIPS/HIPAA standards. As used to be stated by htbridge.com SSL tests years ago. I just found similar information a similar note here and comments about this here.

What I couldn't find is why they are not compliant. I see that TLS_CHACHA20_POLY1305_SHA256 in particular used more and more on TLSv1.2 and TLSv1.3. So my question is: Why are CHACHA20 TLS ciphers not compliant with the NIST guidelines and FIPS/HIPAA standards?

And does this apply to all CHACHA20 ciphers on all TLS versions or just on a subset of them?

2 Answers 2

8

The Reddit thread that you link to seems to answer the question: there is a specific list of cryptographic algorithms that have been validated and approved by NIST, and ChaCha20 is not on that list.

https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program

Validating cryptographic algorithms takes time (and money), and involves a lot of bureaucratic overheads. So unless there is a strong business case for NIST to invest resources in doing so for a specific algorithm, it will never end up on their approval list, regardless of it's actual security.

And that does not mean that there is necessarily anything wrong with the algorithm, or that it is insecure. And it should also be noted that something being approved by NIST also does not necessarily mean that it is secure (see the infamous case of DUAL_EC_DRBG).

It just means that one specific organisation in the USA has not validated and approved its usage (potentially for their own benefit rather than yours) - so if you are required to only use NIST approved algorithms then it would not be compliant. And if you aren't required to only use NIST approved algorithms, then you shouldn't worry about it.

5

ChaCha20 is a stream cipher, and there currently isn't any NIST-approved stream cipher at all. The only option is the block cipher AES (Triple DES and Skipjack are only approved for legacy decryption). Of course AES can be (and almost always is) used in a mode of operation like GCM which makes it behave like a stream cipher, but it's still a block cipher.

The topic of standardizing a stream cipher especially for resource-constrainted environments has been discussed within the NIST since at least 2011. In the Lightweight Crypto Standardization Process, there was at least one stream cipher (Grain-128AEAD) which made it to the final round, but ultimately, it lost to a block cipher.

So the NIST doesn't reject stream ciphers, nor have they (as far as I'm aware) ever recommended against ChaCha20 in particular. It's just that the algorithm hasn't gone through any NIST standardization process. I'm not even sure if Bernstein ever tried, so the chances of a FIPS approval anytime soon seem slim – regardless of whether or not ChaCha20 is a good cipher.

3
  • Since I got an edit stating that AES-CTR, AES-OFB etc. are NIST-approved stream ciphers: CTR and OFB are modes of operations for a block cipher that make it behave like a stream cipher, but I’m talking about algorithms which have been designed as stream ciphers from the beginning (like ChaCha20 or the now-obsolete RC4). The presentation I’ve linked to explains why this difference matters: Running the block cipher AES in CTR or OFB mode can be too computationally expensive for resource-constrained devices, which is why a pure stream cipher was considered as an alternative.
    – Ja1024
    Commented 14 hours ago
  • 2
    While 3DES was NIST-approved, it is deprecated since 2019, and no longer allowed to be used since the end of 2023 (other than for data already encrypted by 3DES, of course).
    – Ángel
    Commented 8 hours ago
  • 1
    @Ángel: You're right. I've fixed that part of the answer.
    – Ja1024
    Commented 8 hours ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .