|
|
|
|
|
|
by kbolino
721 days ago
|
|
|
For some elaboration on my issues with NIST recommendations, let us consider NIST's response to public comments from 2021: NSA raised the issue of "Counter wrapping, or integer overflow, because counter is
32 bits" to which NIST replied that "WITH CURRENT COMPUTING ABILITIES [...] Counter should not overflow". I find that to be a thoroughly inadequate response. Obviously current computing capabilities can overflow a 32-bit counter. That also translates (as NSA also pointed out) to 68GB of data encrypted with the same nonce, which is still "a lot" for some use cases, but easy to exceed for other use cases in the age of terabytes and petabytes. On the issue of nonce reuse specifically, NIST respond to NSA's concerns with 'Generate a new 96-bit nonce for each
message using a cryptographically strong PRNG. Re-key at reasonably regular intervals, where "reasonably regular" is
defined by how much data and how many messages are being encrypted'. I think that broadly validates what I said. However, "reasonably regular" is not actionable guidance, and it is not always possible to re-key easily. https://csrc.nist.gov/csrc/media/projects/crypto-publication... |
|
|