2

I was considering developing an application level software for file encryption after stress testing many of my implementations of popular symmetric ciphers. I would love to support multiple algorithms like AES (GCM / CBC/ CTR) , XChaCha20-Poly1305 etc. But I'm at a crossroads when choosing a highly recommended symmetric cipher for my application, when it comes to performance as well as secure implementation. AES has been tried and tested for years and is still the most popular symmetric cipher in the world. It's well documented and also standardized by various Governments (FIPS standard for example), but very difficult to implement securely unless hardware acceleration is available. A pure software version of AES is slow and my application should be able to achieve the same performance on many devices. Also, AES GCM has a maximum size limit for messages ~ 64 GB, and I really wanted authentication with encryption!

  • Should I stick with AES and its various modes (ex. CTR HMAC SHA256) or is it time to adopt a new symmetric cipher like XChaCha20 or XSalsa20 with Poly1305, which is easy and secure to implement in software, but unfortunately not standardized yet ?

  • Also, why using a standardized cipher is recommended in production quality software?

auspicious99
  • 493
  • 3
  • 17
Vivekanand V
  • 147
  • 5

1 Answers1

2

Answering your questions in reverse order:

Why use a standardised cipher? It is very difficult to create a cipher that is secure against many possible attacks, while maintaining good performance, reasonable complexity for implementation, etc. Standardized ciphers, as you know for AES, for example, have been tried and tested for years, and if they are still popular after all that, we can gain much confidence in such ciphers, versus newer ones that have not (yet) been tried and tested as much.

I think XChaCha20, etc. may not be ready yet for production quality software, especially depending on your requirements, who would be using it, etc.; the probability that some fatal/serious flaws are found, say after 1 or 2 years and your software is being used by millions of people, may be small, be not as small as more standardised ciphers.

In fact, if you are concerned about implementation complexity, and afraid you may make a mistake in implementation, that concern is valid, but one option is to use certain well tested libraries/implementations, e.g., of AES GCM, etc., to mitigate the risks in the implementation side of things.

auspicious99
  • 493
  • 3
  • 17
  • 1
    Thankyou for your answer ! I was actually implementing the software without any external libraries as it is a crypto only application. I thought of using XChaCha20 because it got popularized, but I am **sticking** with AES ! – Vivekanand V Apr 18 '20 at 08:20
  • 1
    Then you need to assess the probability that your implementation might have any flaws. I mean, it could be fun and challenging, but you would need to be careful and look out for subtleties. Best wishes! – auspicious99 Apr 18 '20 at 08:26
  • Yes it is fun and challenging! I am trying my best to protect against side channel attacks and such ! – Vivekanand V Apr 18 '20 at 08:30