[Cryptography] Non-deterministic PRF as a MAC-and-Nonce for AEAD?
Alfie John
alfie at alfie.wtf
Fri Jun 29 23:50:47 EDT 2018
On Mon, Jun 04, 2018 at 01:43:04PM +0000, Jason Cooper wrote:
> >
> > Non-deterministic-deterministic functions is an oxymoron... i know :)
> >
> > What I was trying to do was think of a way to get rid of the IV/nonce as
> > a parameter to an encrypt function call. I've seen code from many
> > organisation where the coder didn't know what to use for the IV
> > parameter, so they used the static values from examples copied from the
> > docs or even forum examples. Give a coder a footgun, and they'll use
> > it...
>
> Honestly, if the coder doesn't know to ask a cryptographer, or security
> engineer when they encounter nonce generation for an API, that's an
> education / experience problem. A good manager should ensure the junior
> coder is either a) not going near crypto, or b) is closely supervised by
> an experienced crypto/security engineer when touching crypto.
>
> The best / easiest solution to your problem isn't technical,
> unfortunately. It's human. There's no substitute for experienced
> developers mentoring junior developers while working in crypto and
> security.
I've been thinking about this for a while now...
My entire motivation for reducing parameters to calls was because the majority
of dev shops, let alone at-home hobby projects, do not have an in-house
security team. Even less likely an in-house cryptographer.
So this *really does* put cryptography out of reach for not only junior
developers, but also experienced developers who haven't done the required
reading to stay out of danger. This would probably be the main reason why there
is so much roll-your-own out in the wild and broken code.
libsodium does an awesome job to reduce mistakes and encourage best practices,
but I think we can reduce the mental load even just a little bit more e.g by
generating the nonce inside of crypto_aead_chacha20poly1305_encrypt() and then
appending it to the ciphertext (just like it already does to the authentication
tag). The first thing crypto_aead_chacha20poly1305_decrypt() would do is strip
the nonce off the end and use it as it does now.
(another cleanup would be to remove alltogether the nsec parameter...)
Once you did this, look at the clean interface you have, especially in a
language that understands string lengths:
my $ciphertext = crypto_aead_chacha20poly1305_encrypt($message, $additional_data, $key);
my ($message, $additional_data) = crypto_aead_chacha20poly1305_decrypt($ciphertext, $key);
Going to be hard for a non-expert to use the above code incorrectly.
Alfie
--
Alfie John
https://www.alfie.wtf
More information about the cryptography
mailing list