[Cryptography] Derive IV from time in ticks.

Phillip Hallam-Baker phill at hallambaker.com
Thu Feb 2 12:01:38 EST 2023 

On Wed, Feb 1, 2023 at 2:30 AM Nico Williams <nico at cryptonector.com> wrote:

> On Thu, Dec 29, 2022 at 03:27:41PM -0500, Phillip Hallam-Baker wrote:
> > I am writing a very small scale scheme for use on a UDP based presence
> > service. I am not concerned about traffic analysis at this point, I will
> > add an obfustification layer later on. Same for rekeying the connection,
> > just starting things off with a Kerberos like scheme.
>
> Are the keys involved session keys or long-term keys?  You mention
> rekeying, so I assume we're talking about session keys produced by a
> reasonable key exchange.  If it's long-term keys then OCB is not the
> droid you're looking for.
>

What is your issue with OCB? I am trying to think of something that
wouldn't have an issue...


I am not following your distinction between long and short term keys. All
my data is stuff I want to keep secret for long term. But this is for
encryption at the presentation level and the content is encrypted inside.

All my constructions tend to have the following form

1) Perform a key exchange between the client device and the service host
using the device level keys, KDF the result to 256 bits.

2) (optional) Having established an initial secure tunnel, ratchet in key
exchanges under the user key and service key, KDF the result to 256 bits.

3) For each unit of data to be encrypted (envelope for data level, packet
for transport level) pick a salt value, use a KDF to obtain whatever
encryption key, MAC key and IV you need.


I can't remember quite what I was doing last Dec, I might have been looking
to get more performance than maybe I should because I was looking to build
a QUIC like transport which gave absolutely nothing away to traffic
analysis (or at least the minimum). I have since backed out that code since
the implementation barrier is a bit high for anyone looking to write a
client that can interop.


So, the current scheme is limited to a secure presence protocol. Messages
consist of 1-16 UDP packets with a salted key+IV derivation per message.
Which is probably not going to violate your long term key concern.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20230202/ec156b4b/attachment.htm>

More information about the cryptography mailing list