@bascule @matthew_d_green @tqbf @dchest But it's still busted until you ensure the pair (k, nonce) going into AES-CTR is globally unique
-
-
Replying to @marshray
@marshray@matthew_d_green@tqbf@dchest sorry to dig this up again, but isn't solved by deriving a unique AES-CTR key and nonce via HKDF?1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@matthew_d_green@tqbf@dchest Not if you feed the nonce into the HKDF and leave it out of the AES-CTR initialization.2 replies 0 retweets 0 likes -
Replying to @bascule
@bascule http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf … "for each message encrypted by a key...must ensure uniqueness of all the counter blocks across all messages"2 replies 0 retweets 0 likes -
Replying to @marshray
@marshray NaCl's aes128ctr uses a 128-bit nonce. Combined with a 128-bit key, isn't that sufficient? https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_stream_aes128ctr.h#L5 …1 reply 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.