Today we published a security fix for http://golang.org/x/crypto/salsa20 …. If you generated more than 256 GiB of output from a single key+nonce pair, it would loop due to a counter overflow. Found by @mbmcloughlin's fuzzers.https://groups.google.com/d/msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ …
-
-
Well, yeah, that's what happens when the cipher stream is wrong. (Worse, since it cycles it breaks unpredictability and secrecy.) Not sure I understand your point?
-
With respect, I was scanning this thread (linked from elsewhere), and this specific tweet clued me in that you worked for Google before I clicked on your profile.
- 6 more replies
New conversation -
-
-
Yes. But also note: implementations vulnerable to this can have portions of their output very simply decrypted; if you xor the two portions of the message together you get A xor B. From here it's a pencil and paper effort to decrypt.
-
Of course! and a disaster for a naive Salsa20 based RNG (I did a survey of RNGs about a year ago and none look like that at the time). I asked because my greatest concern in this case would be for some poor people who used this for file encryption ...
- 2 more replies
New conversation -
-
-
In theory a stream cipher decryption is the same operation as encryption. But it seems that in practice, that's only true in theory.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.