6

I wonder if ChaCha20 alone is sufficient for securing files stored on a disk or should Poly1305 should be used along with it? AFAIK, Poly1305 is used to secure the authentication channel, but for securing data-at-rest, the key can be read from the OS's keystore, which (typically) is fairly secure - correct?

If so, does that mean ChaCha20 alone is good enough?

Thanks

Kar
  • 473
  • 3
  • 9

1 Answers1

12

You really don't want to use ChaCha20 alone in (nearly) any situation.

What ChaCha20 does for you is to prevent attackers from (passively) reading your data, which is good. But ChaCha is a so-called stream cipher which works by XOR'ing a pseudorandom pad with the message (your file at rest). However it is for this very way of working that ChaCha doesn't prevent attackers from (actively) reading your data if you allow them to decrypt anything but the stored cipher text.

If an adversary now gets hands-on your drive / file he can manipulate the file. For example assume it's your next day's financial transaction plan. An attacker who knows where the account ID of the receiver lies and knows who should receive the transaction can flip the bits at that position in a way that his bank account is the target.

Poly1305 is designed to prevent this kind of attack by assuring that the data hasn't changed without knowledge of the key. Assuming the key for Poly1305 is unknown to the attacker he can't correctly update the authentication tag. If he now changes a single bit of the cipher text the verification will fail and you'll notice that somebody has changed your file, protecting you from a malformed operation ( / transaction).

TL;DR: ChaCha20 protects your file from being (passively) read, but not from being manipulated, which may easily cause severe attacks. So you really want to use Poly1305 in addition to ChaCha20.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • 4
    I think "any situation" may be a bit too strong, but definitely when in doubt, use a MAC. – otus Sep 20 '15 at 16:10
  • 8
    You say "ChaCha20 protects your file from being read", but that's an overstatement. ChaCha20 alone doesn't prevent the file from being read: chosen-ciphertext attacks may be able to not only let the attacker flip bits, but also let the attacker learn the plaintext. I realize this is counter-intuitive for many people: it feels like encryption ought to be enough to protect at least confidentiality, but when you have a chosen-ciphertext attack model and an encryption scheme that is only secure against chosen-plaintext attacks, that's the situation you're in. – D.W. Sep 20 '15 at 17:23
  • 1
    [Disclaimer: the question was tagged file-encryption, but it's still the first Google result for "chacha20 for disk encryption".] It's worth noting that FDE isn't authenticated; you need a +16Byte MAC for each authenticated lump of data. We use XTS instead of CTR for a reason, so I'm wondering if there's an "XTS-a-like" mode for ChaCha20. – JamesTheAwesomeDude Jul 18 '22 at 20:54
  • @JamesTheAwesomeDude thanks for the google hint. As for ChaCha and FDE: ChaCha is fundamentally a PRF (a function that with an unknown random key turns different data into unrelated random data). The irreversibility of this prevents an immediate use of (a modified) ChaCha with XTS or a similar construction. I also can't immediately come up with a related construction that would provide similar properties to XTS using the internal ChaCha construction. – SEJPM Jul 25 '22 at 13:09