[Cryptography] Derive IV from time in ticks.

[Phillip Hallam-Baker]

So I am having the following think.

First off, before I get started, I plan to use OCB to encrypt packets. No
GCM or even GCM-SIV in sight.

I am writing a very small scale scheme for use on a UDP based presence
service. I am not concerned about traffic analysis at this point, I will
add an obfustification layer later on. Same for rekeying the connection,
just starting things off with a Kerberos like scheme.

Messages to the service are prefixed by a token currently 8 bytes in length
which specifies the client endpoint device. I am considering changing that
to:

DeviceID (8 bytes)
CurrentTime (8 bytes) [in ticks)

So how about bundling those up and using them as the IV for encrypting the
packet with OCB?

Alternatively, if folk get worried about the possibility someone use GCM by
'mistake', could do:

DeviceID (4 bytes)
Counter (4 bytes)
CurrentTime (8 bytes) [in ticks)

While a service could serve more than 4 million connected clients in
theory, the protocol is designed to allow use of multiple services...


So the reason I am finding including the time in this scheme attractive is
that it provides a lightweight means of preventing replay attacks outside
an arbitrarily narrow time window. The presence service also provides NTP
like synchronization.

If the timestamp is tampered with, the IV will be changed and
decryption/authentication of the message will fail. That is not necessarily
the only replay attack prevention I intend to use but it is part of it.

What do folk think? Good idea or not?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20221229/af256969/attachment.htm>