[Cryptography] Severe flaw in all generality : key or nonce reuse
John Denker
jsd at av8n.com
Thu Oct 19 08:55:21 EDT 2017
On 10/19/2017 03:38 AM, Peter Gutmann wrote:
> If you want something that's fully reuse-tolerant then there are a pile of
> very recent modes and mechanisms that typically make two passes over the data
> and use the output from the first pass as a randomiser for the second pass
> (although the first use of such modes dates back to at least the early 1990s).
> Downside is that there's almost no support for them in anything, and you need
> to make two passes, which both slows things down and makes streaming
> impossible.
AFAICT all of the following are incompatible with all chaining modes,
including (but not limited to) fancy wraparound modes. These categories
are not mutually exclusive:
-- streaming services (since users commonly join in mid-stream)
-- interactive services (including telephony, distributed gaming, etc.)
-- random access (including disk encryption)
-- anything that encrypts at OSI layer 2 or 3 (since lost packets are not retransmitted)
> It depends on what you mean by "acceptable". As I mentioned in my previous
> message, CBC turns a catastrophic failure (GCM) into a minor information leak,
> and is pretty much universally deployed in crypto libraries and hardware (CBC
> is actually remarkably abuse-tolerant for something that wasn't designed for
> this role). So you've already got something right now that's probably good
> enough in most cases.
That notion of "most cases" seems to exclude quite a wide range of
services, as itemized above. This started as a discussion of WPA2.
There's a reason why WPA2 doesn't use CBC or anything like that.
So what exactly should WPA2 have done?
============
Memo from the keen-grasp-of-the-obvious department: My advice:
Make sure keys and nonces don't get reused.
More information about the cryptography
mailing list