Q: nonce in ChaCha20Poly1305

[manio]

Hi,
There is no Q&A section so I hope it is OK to ask here:
I am trying to send message securely over radio channel in my application.
It will be a single client and server.
I decided to go with ChaCha20Poly1305. The example is working fine.

Initially I am generating the key with ChaCha20Poly1305::generate_key and storing it in client and server securely.

Now my question: is it secure to use it like this:

1. Client initiates connection and ask a server for one-time generated nonce
2. Server is generating the nonce and sending it to the client
3. Client is encrypting message with known key and nonce and sending back to the server
4. Server is decrypting message with known key and a nonce

One of the goal is to prevent replay attacks and I believe that the nonce generation is OK for this.

[tarcieri]

It sounds like you want a session encryption protocol. You can look at the CipherState of the Noise protocol for an example: https://noiseprotocol.org/noise.html#the-cipherstate-object

It uses a counter for the nonce, which depends on messages being received in-order.

If you can't guarantee messages are received in-order, things get a lot more complicated. See this section: https://noiseprotocol.org/noise.html#out-of-order-transport-messages

[manio]

Thanks!