[Cryptography] Severe flaw in all generality : key or nonce reuse

John Denker jsd at av8n.com
Thu Oct 19 08:55:21 EDT 2017

On 10/19/2017 03:38 AM, Peter Gutmann wrote:

> If you want something that's fully reuse-tolerant then there are a pile of
> very recent modes and mechanisms that typically make two passes over the data
> and use the output from the first pass as a randomiser for the second pass
> (although the first use of such modes dates back to at least the early 1990s).
> Downside is that there's almost no support for them in anything, and you need
> to make two passes, which both slows things down and makes streaming
> impossible.

AFAICT all of the following are incompatible with all chaining modes,
including (but not limited to) fancy wraparound modes.  These categories
are not mutually exclusive:
 -- streaming services (since users commonly join in mid-stream)
 -- interactive services (including telephony, distributed gaming, etc.)
 -- random access (including disk encryption)
 -- anything that encrypts at OSI layer 2 or 3 (since lost packets are not retransmitted)

> It depends on what you mean by "acceptable".  As I mentioned in my previous
> message, CBC turns a catastrophic failure (GCM) into a minor information leak,
> and is pretty much universally deployed in crypto libraries and hardware (CBC
> is actually remarkably abuse-tolerant for something that wasn't designed for
> this role).  So you've already got something right now that's probably good
> enough in most cases.

That notion of "most cases" seems to exclude quite a wide range of
services, as itemized above.  This started as a discussion of WPA2.
There's a reason why WPA2 doesn't use CBC or anything like that.
So what exactly should WPA2 have done?


Memo from the keen-grasp-of-the-obvious department:  My advice:
	Make sure keys and nonces don't get reused.

More information about the cryptography mailing list