Re: [openpgp] AEAD mode unverified chunks

Marcus Brinkmann 
<marcus.brinkmann=40ruhr-uni-bochum(_dot_)de(_at_)dmarc(_dot_)ietf(_dot_)org> 
writes:

My reading is that the nonces for individual chunks are derived from the
message IV by XORing an index number. See the subsections on EAX and OCB that
follow.


Sure, however if in the future someone adds another AEAD mode, and in
particular the very fashionable (in fact I'm surprised it isn't already in
there) but also very brittle GCM, then safe IV handling is criticial to
security.  It's just a personal preference, but I'd add a somewhat stronger
warning to the text in 5.16 for per-chunk unique/random IVs and the
consequences of not using them when some AEAD modes are used.

Peter.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [openpgp] Overhauling User IDs / Standardizing User Attributes (was: Re: Scoped trust (signatures)), Bill Frantz

Next by Date:

Re: [openpgp] Overhauling User IDs / Standardizing User Attributes (was: Re: Scoped trust (signatures)), Wiktor Kwapisiewicz

Previous by Thread:

Re: [openpgp] AEAD mode unverified chunks, Marcus Brinkmann

Next by Thread:

Re: [openpgp] AEAD mode unverified chunks, Werner Koch

Indexes:

[Date] [Thread] [Top] [All Lists]