Initialization vector requirements
Falko Strenzke
falko.strenzke at mtg.de
Tue Sep 10 09:56:01 CEST 2024
Hi,
https://www.ietf.org/archive/id/draft-koch-librepgp-02.html#section-5.16.2
says that "the initialization vector per message MUST be distinct" for
OCB. Distinctness is not sufficient here, since the per-chunk nonce is
derived by XORing the IV with the chunk index. Thus, for messages with
multiple chunks, even distinct IVs may lead to repeated nonce usage
(i.e., IV_2 = IV_1 + 1). A corresponding statement in the previous
section for EAX makes the same mistake.
Accordingly, random IVs are required here. After this correction, it
might also be useful to include a section in the security considerations
regarding the number of repeated messages under the same key using
random IVs and the resulting nonce-collision probabilities.
Best regards,
Falko
--
*MTG AG*
Dr. Falko Strenzke
Phone: +49 6151 8000 24
E-Mail: falko.strenzke at mtg.de
Web: mtg.de <https://www.mtg.de>
------------------------------------------------------------------------
MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde
This email may contain confidential and/or privileged information. If
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised
copying or distribution of this email is not permitted.
Data protection information: Privacy policy
<https://www.mtg.de/en/privacy-policy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://librepgp.org/pipermail/librepgp-discuss/attachments/20240910/b3f26eba/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5050 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://librepgp.org/pipermail/librepgp-discuss/attachments/20240910/b3f26eba/attachment.bin>
More information about the LibrePGP-discuss
mailing list