On 07/01/2018 03:55 PM, Peter Gutmann wrote:
Hmmm, and a comment on the text:
"A new random initialization vector MUST be used for each message".
That should be "for each chunk", along with a strong warning about the fact
that you'll get a catastrophic failure of security if you don't do this and
use a highly brittle AEAD mode like GCM. That is, this isn't just some nice
thing to do like the usual comment about using fresh IVs, you'll get a
catastrophic security failure if you don't, far more so than with any other
encryption mode that uses IVs.
My reading is that the nonces for individual chunks are derived from the
message IV by XORing an index number. See the subsections on EAX and OCB
that follow.
Thank you for taking a look at the AEAD part of the specs.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp