It is mostly important for decoding key material if stored encoded, so technically it may not be necessary here to have the encoder/decoders be constant time, but well, better safe than sorry when dealing with security sensitive code.
I think this is meant to be more like itsdangerous than Paseto; similar to Paseto, it is meant to be algorithmically simple (XChaCha20-Poly1305 for authenticated encryption authenticated data, whereas Paseto supports XChaCha20-Poly1305 + Blake (for nonce misuse resistance) and Edwards-curves via Ed25519), but unlike Paseto, it doesn’t have a tie in to a JSON-like structure.
From reading its specification, I don’t see a way to rotate the secret key seamlessly by encrypting tokens using a new key, whilst decrypting tokens with both an old and new key for a short time. The lack of this might inconvenience end users in some situations.
I’m curious why Base62 and not simply Base64UrlSafe, which has a constant time implementation in libsodium.
Hm, constant time, what do you mean by that? Also have tried to find the code (regarding b64) but no luck :(
See for example https://blog.ircmaxell.com/2014/11/its-all-about-time.html
It is mostly important for decoding key material if stored encoded, so technically it may not be necessary here to have the encoder/decoders be constant time, but well, better safe than sorry when dealing with security sensitive code.
How does this compare to Paseto? Branca seems just more limited and opinionated.
I think this is meant to be more like itsdangerous than Paseto; similar to Paseto, it is meant to be algorithmically simple (XChaCha20-Poly1305 for authenticated encryption authenticated data, whereas Paseto supports XChaCha20-Poly1305 + Blake (for nonce misuse resistance) and Edwards-curves via Ed25519), but unlike Paseto, it doesn’t have a tie in to a JSON-like structure.
From reading its specification, I don’t see a way to rotate the secret key seamlessly by encrypting tokens using a new key, whilst decrypting tokens with both an old and new key for a short time. The lack of this might inconvenience end users in some situations.
a “key id” would be easier… a way to indicate which key needs to be used to decrypt the token, in case simply trying all keys is not acceptable.
I stumbled across this when an implementation was created for clojure.
I’m curious to look further into Branca to see to their suitability as a JWT replacement, due to the many well known issues with JWT.
this is only for symmetric encryption