@matthew_d_green @tqbf @dchest @marshray am I good to go with HMAC(nonce || ciphertext, hmac_key) ?
-
-
Replying to @bascule
@bascule@matthew_d_green@tqbf@dchest Usually key is first and include the nonce length. HMAC(K_mac, nonce_length || nonce || ciphertext)2 replies 0 retweets 0 likes -
Replying to @marshray
@marshray@matthew_d_green@tqbf@dchest cool, thanks1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@matthew_d_green@tqbf@dchest But it's still busted until you ensure the pair (k, nonce) going into AES-CTR is globally unique3 replies 0 retweets 0 likes -
Replying to @marshray
@marshray@matthew_d_green@tqbf@dchest sorry to dig this up again, but isn't solved by deriving a unique AES-CTR key and nonce via HKDF?1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@matthew_d_green@tqbf@dchest Not if you feed the nonce into the HKDF and leave it out of the AES-CTR initialization.2 replies 0 retweets 0 likes -
Replying to @bascule
@bascule http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf … "for each message encrypted by a key...must ensure uniqueness of all the counter blocks across all messages"2 replies 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.