[Cryptography] Question re: Initialization Vector for AES Counter Mode…
Natanael
natanael.l at gmail.com
Thu Apr 27 02:07:31 EDT 2017
Den 27 apr. 2017 07:20 skrev "John Denker via cryptography" <
cryptography at metzdowd.com>:
On 04/26/2017 03:28 PM, Jon Callas wrote:
> Personally, I would recommend that you *not* use counter mode or
> anything resembling it for writing files.
I agree with that 100%.
A cipher "mode" is a kludge that kinda maybe sorta allows people
to survive in situations where they can't (or won't) re-key ...
but you should always ask yourself, why not just re-key? If
your cipher cannot be efficiently or securely re-keyed, maybe
you need a better cipher.
Constructive suggestion: Use something like ChaCha20, which
is designed to do a good job with file encryption (and a lot
of other things). It has an enormous keyspace, and can be
re-keyed efficiently. Construct the key from at least:
-- The master key.
-- The block number.
This part;
-- A sequence number, depending on how many times the
block has been rewritten. (This allows random access,
as well as rewriting the whole file from the beginning.)
This is assuming the file won't be duplicated / shared / restored from
backup. It is not sufficient alone. It also means any duplicated VM fails
spectacularly in keeping the plaintexts secret.
You need a guarantee that every single write will use a unique IV. That
means you need OS level support for your encryption routine on every device
touching the file.
Deriving the IV from the message helps, but for small IV:s it isn't a
guarantee for security (in particular when you write often). It is also
impractical for large messages.
> Counter mode creates a stream cipher.
Right.
> it's like leaving a rake in the yard with the tines up.
Good analogy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170427/36740cd0/attachment.html>
More information about the cryptography
mailing list