[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?
Richard Outerbridge
outer at sympatico.ca
Thu Oct 10 17:15:33 EDT 2013
On 2013-10-10 (283), at 15:29:33, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:
>> On 10 Oct 2013, at 17:06, John Kelsey <crypto.jmk at gmail.com> wrote:
>>
>> Just thinking out loud....
>>
[....]
>> c. Both sides derive the shared key abG, and then use SHAKE512(abG) to generate an AES key for messages in each direction.
How does this prevent MITM? Where does G come from?
I'm also leery of using literally the same key in both directions. Maybe a simple transform would suffice; maybe not.
>> d. Each side keeps a sequence number to use as a nonce. Both sides use AES-CCM with their sequence number and their sending key, and keep track of the sequence number of the most recent message received from the other side.
If the same key is used, there needs to be a simple way of ensuring the sequence numbers can never overlap each other.
__outer
More information about the cryptography
mailing list