Can a zero nonce be safely used with AES-GCM if the key is random and never used again?Multi-target attacks on AES-CTR with a random nonceAES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message
What do I put on my resume to make the company i'm applying to think i'm mature enough to handle a job?
How to ask if I can mow my neighbor's lawn
Numerical second order differentiation
TiKZ won't graph 1/sqrt(x)
Why do you need to heat the pan before heating the olive oil?
How can the US president give an order to a civilian?
Should I email my professor to clear up a (possibly very irrelevant) awkward misunderstanding?
What kind of chart is this?
What could be the physiological mechanism for a biological Geiger counter?
Does knowing the surface area of all faces uniquely determine a tetrahedron?
Would a 7805 5v regulator drain a 9v battery?
Have Steve Rogers (Captain America) and a young Erik Lehnsherr (Magneto) interacted during WWII?
...and then she held the gun
High-end PC graphics circa 1990?
How can I ping multiple IP addresses at the same time?
What is the context for Napoleon's quote "[the Austrians] did not know the value of five minutes"?
How can Caller ID be faked?
My student in one course asks for paid tutoring in another course. Appropriate?
Background for black and white chart
How do I run a script as sudo at boot time on Ubuntu 18.04 Server?
How "fast" does astronomical events happen?
What is this plant I saw for sale at a Romanian farmer's market?
How to search for Android apps without ads?
Are there any super-powered aliens in the Marvel universe?
Can a zero nonce be safely used with AES-GCM if the key is random and never used again?
Multi-target attacks on AES-CTR with a random nonceAES-GCM and its IV/nonce valuenonce of AES-GCM in SSLCan we use the authentication tag as Nonce / IV for the next message?Is it acceptable to write the nonce to the encrypted file during AES-256 GCM?Using AES-CTR to generate AES subkeys from a master key and nonceNonce for AES GCM to prevent replay attacksSafety of random nonce with AES-GCM?Can I use a deterministic NONCE for AES-GCM file encryption if I generate “fresh” keys for each encrypted fileIs AES-GCM with static key and dynamic salt safe to reuse IV/nonceWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = Message
$begingroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
asked Apr 14 at 22:52
jnm2jnm2
317310
$endgroup$
add a comment |
$begingroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
asked Apr 14 at 22:52
jnm2jnm2
317310
$endgroup$
add a comment |
$begingroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
asked Apr 14 at 22:52
jnm2jnm2
317310
$endgroup$
I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a second encryption.
The encryption key is randomly generated, used for a single encryption, split using Shamir's Secret Sharing Scheme, and discarded. When the key is reconstructed for decryption, there is no chance that it can be fed back through to encrypt again; a new random key is always generated for each encryption.
If that's the only constraint, then twelve zero bytes are as safe as twelve random bytes prepended to the ciphertext. I'm reading that the AES-GCM nonce is used as the IV for AES in CTR mode. It's okay to use a zero IV for AES-CTR as long as the key is never reused, but I don't want to assume without confirmation that AES-GCM does nothing relevant with the nonce besides passing it to AES CTR. Am I missing anything?
aes initialization-vector gcm nonce aes-gcm
aes initialization-vector gcm nonce aes-gcm
asked Apr 14 at 22:52
jnm2jnm2
317310
asked Apr 14 at 22:52
jnm2jnm2
317310
asked Apr 14 at 22:52
jnm2jnm2
317310
asked Apr 14 at 22:52
jnm2jnm2
317310
asked Apr 14 at 22:52
jnm2jnm2
317310
317310
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.
From the above-linked blog post by DJB:
What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.
answered Apr 15 at 7:56
forestforest
5,86112049
$endgroup$
$begingroup$
Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
$endgroup$
– jnm2
Apr 15 at 13:48
$begingroup$
And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
$endgroup$
– jnm2
Apr 15 at 14:09
$begingroup$
@jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
$endgroup$
– forest
Apr 16 at 1:46
add a comment |
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
$endgroup$
$begingroup$
I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
$endgroup$
– forest
Apr 15 at 8:04
add a comment |
$begingroup$
Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?
As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.
There are two simple ways you can take:
a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).
b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.
The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.
answered Apr 15 at 7:49
TomTom
24716
$endgroup$
$begingroup$
The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
$endgroup$
– Martin Bonner
Apr 15 at 9:52
$begingroup$
@MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
$endgroup$
– forest
Apr 15 at 9:53
$begingroup$
@MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
$endgroup$
– Tom
Apr 15 at 9:56
$begingroup$
Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator isBCryptGenRandomwithBCRYPT_USE_SYSTEM_PREFERRED_RNGon Windows and OpenSSL on Unix.
$endgroup$
– jnm2
Apr 15 at 14:01
$begingroup$
@jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
$endgroup$
– Tom
Apr 15 at 18:44
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.
From the above-linked blog post by DJB:
What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.
answered Apr 15 at 7:56
forestforest
5,86112049
$endgroup$
$begingroup$
Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
$endgroup$
– jnm2
Apr 15 at 13:48
$begingroup$
And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
$endgroup$
– jnm2
Apr 15 at 14:09
$begingroup$
@jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
$endgroup$
– forest
Apr 16 at 1:46
add a comment |
$begingroup$
Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.
From the above-linked blog post by DJB:
What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.
answered Apr 15 at 7:56
forestforest
5,86112049
$endgroup$
$begingroup$
Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
$endgroup$
– jnm2
Apr 15 at 13:48
$begingroup$
And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
$endgroup$
– jnm2
Apr 15 at 14:09
$begingroup$
@jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
$endgroup$
– forest
Apr 16 at 1:46
add a comment |
$begingroup$
Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.
From the above-linked blog post by DJB:
What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.
answered Apr 15 at 7:56
forestforest
5,86112049
$endgroup$
Usually. However, if you are using 128-bit AES in CTR mode (remember that GCM is essentially just CTR with authentication), then a kind of attack called a multi-target attack can become possible. This attack is realistic when an attacker has a huge amount of stored ciphertext, each with a random key. While breaking a specific key requires performing up to 2128 operations, breaking any key is significantly easier. This attack can be mitigated either by using a larger key size, or by using a random nonce.
From the above-linked blog post by DJB:
What the attacker hopes to find inside the AES attack is a key collision. This means that a key guessed by the attack matches a key chosen by a user. Any particular guessed key has chance only 1/2128 of matching any particular user key, but the attack ends up merging costs across a batch of 240 user keys, amplifying the effectiveness of each guess by a factor 240.
answered Apr 15 at 7:56
forestforest
5,86112049
answered Apr 15 at 7:56
forestforest
5,86112049
answered Apr 15 at 7:56
forestforest
5,86112049
answered Apr 15 at 7:56
forestforest
5,86112049
5,86112049
$begingroup$
Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
$endgroup$
– jnm2
Apr 15 at 13:48
$begingroup$
And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
$endgroup$
– jnm2
Apr 15 at 14:09
$begingroup$
@jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
$endgroup$
– forest
Apr 16 at 1:46
add a comment |
$begingroup$
Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
$endgroup$
– jnm2
Apr 15 at 13:48
$begingroup$
And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
$endgroup$
– jnm2
Apr 15 at 14:09
$begingroup$
@jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
$endgroup$
– forest
Apr 16 at 1:46
$begingroup$
Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
$endgroup$
– jnm2
Apr 15 at 13:48
$begingroup$
Good to know! I'm using a 256-bit key and there is not much ciphertext per key (a few kilobytes). It sounds like my particular situation is safe, but can you quantify "huge" to shed light on the decision-making process if I find myself in a similar but different scenario?
$endgroup$
– jnm2
Apr 15 at 13:48
$begingroup$
And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
$endgroup$
– jnm2
Apr 15 at 14:09
$begingroup$
And the sole benefit of a random IV is that it avoids collisions using 256+96 random bits rather than just 256 random bits (or 128+96 instead of 128)?
$endgroup$
– jnm2
Apr 15 at 14:09
$begingroup$
@jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
$endgroup$
– forest
Apr 16 at 1:46
$begingroup$
@jnm2 How huge depends on how much advantage you are OK with the attacker getting. The attack starts to become significantly easier than brute force after around $2^40$ keys. And if you are using a 256-bit key, then there is no reason to use a random nonce, as long as the key is unique and always random.
$endgroup$
– forest
Apr 16 at 1:46
add a comment |
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
$endgroup$
$begingroup$
I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
$endgroup$
– forest
Apr 15 at 8:04
add a comment |
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
$endgroup$
$begingroup$
I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
$endgroup$
– forest
Apr 15 at 8:04
add a comment |
$begingroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
$endgroup$
Am I missing anything?
No, you are not; if you use a key only once, that is, to encrypt a single message, and never use it to encrypt anything else, then it doesn't matter what nonce you use. An implicit 'all-00' nonce is as good as any.
BTW: AES-GCM also uses the nonce as a part of the transform that generates the integrity tag; however, that addition does not complicate the fact that an all-00 nonce is fine, as long as you use the key once.
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
answered Apr 14 at 22:57
ponchoponcho
95.9k2154250
95.9k2154250
$begingroup$
I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
$endgroup$
– forest
Apr 15 at 8:04
add a comment |
$begingroup$
I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
$endgroup$
– forest
Apr 15 at 8:04
$begingroup$
I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
$endgroup$
– forest
Apr 15 at 8:04
$begingroup$
I'm not sure that this is entirely correct, due to the risk of multi-target attacks on AES128.
$endgroup$
– forest
Apr 15 at 8:04
add a comment |
$begingroup$
Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?
As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.
There are two simple ways you can take:
a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).
b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.
The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.
answered Apr 15 at 7:49
TomTom
24716
$endgroup$
$begingroup$
The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
$endgroup$
– Martin Bonner
Apr 15 at 9:52
$begingroup$
@MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
$endgroup$
– forest
Apr 15 at 9:53
$begingroup$
@MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
$endgroup$
– Tom
Apr 15 at 9:56
$begingroup$
Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator isBCryptGenRandomwithBCRYPT_USE_SYSTEM_PREFERRED_RNGon Windows and OpenSSL on Unix.
$endgroup$
– jnm2
Apr 15 at 14:01
$begingroup$
@jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
$endgroup$
– Tom
Apr 15 at 18:44
add a comment |
$begingroup$
Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?
As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.
There are two simple ways you can take:
a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).
b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.
The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.
answered Apr 15 at 7:49
TomTom
24716
$endgroup$
$begingroup$
The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
$endgroup$
– Martin Bonner
Apr 15 at 9:52
$begingroup$
@MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
$endgroup$
– forest
Apr 15 at 9:53
$begingroup$
@MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
$endgroup$
– Tom
Apr 15 at 9:56
$begingroup$
Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator isBCryptGenRandomwithBCRYPT_USE_SYSTEM_PREFERRED_RNGon Windows and OpenSSL on Unix.
$endgroup$
– jnm2
Apr 15 at 14:01
$begingroup$
@jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
$endgroup$
– Tom
Apr 15 at 18:44
add a comment |
$begingroup$
Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?
As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.
There are two simple ways you can take:
a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).
b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.
The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.
answered Apr 15 at 7:49
TomTom
24716
$endgroup$
Does your random generator guarantee (with sufficient confidence) that it won't generate the same random key a second time?
As you correctly stated, as long as the same nonce and key are never re-used, everything is fine. But a randomly generated key does not by itself have such an assurance.
There are two simple ways you can take:
a) accept the risk. Make a quick calculation based on your RNG what the probability is that a key will be repeated and then decide that this chance is acceptable (or not).
b) instead of using a zero nonce, use a simple counter. That's what many implementations actually do. The nonce can be predictable, that's ok.
The decision in a) largely depends on the number of messages you are going to send. If the number is low, the risk is most likely acceptable. If we're talking millions-plus messages, you might find the probability of an identical key (remember the birthday paradox!) too high for comfort.
answered Apr 15 at 7:49
TomTom
24716
answered Apr 15 at 7:49
TomTom
24716
answered Apr 15 at 7:49
TomTom
24716
answered Apr 15 at 7:49
TomTom
24716
24716
$begingroup$
The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
$endgroup$
– Martin Bonner
Apr 15 at 9:52
$begingroup$
@MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
$endgroup$
– forest
Apr 15 at 9:53
$begingroup$
@MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
$endgroup$
– Tom
Apr 15 at 9:56
$begingroup$
Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator isBCryptGenRandomwithBCRYPT_USE_SYSTEM_PREFERRED_RNGon Windows and OpenSSL on Unix.
$endgroup$
– jnm2
Apr 15 at 14:01
$begingroup$
@jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
$endgroup$
– Tom
Apr 15 at 18:44
add a comment |
$begingroup$
The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
$endgroup$
– Martin Bonner
Apr 15 at 9:52
$begingroup$
@MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
$endgroup$
– forest
Apr 15 at 9:53
$begingroup$
@MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
$endgroup$
– Tom
Apr 15 at 9:56
$begingroup$
Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator isBCryptGenRandomwithBCRYPT_USE_SYSTEM_PREFERRED_RNGon Windows and OpenSSL on Unix.
$endgroup$
– jnm2
Apr 15 at 14:01
$begingroup$
@jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
$endgroup$
– Tom
Apr 15 at 18:44
$begingroup$
The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
$endgroup$
– Martin Bonner
Apr 15 at 9:52
$begingroup$
The advantage of using a fixed nonce, is that you don't need to transmit it or store it. I presume this is enough of an advantage for the OP.
$endgroup$
– Martin Bonner
Apr 15 at 9:52
$begingroup$
@MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
$endgroup$
– forest
Apr 15 at 9:53
$begingroup$
@MartinBonner You can usually derive the nonce from the same master secret that the key is derived from.
$endgroup$
– forest
Apr 15 at 9:53
$begingroup$
@MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
$endgroup$
– Tom
Apr 15 at 9:56
$begingroup$
@MartinBonner - as written: weigh the advantage against the risk and make a decision. The OP doesn't specify his use case, which makes it difficult to be specific on the threat level.
$endgroup$
– Tom
Apr 15 at 9:56
$begingroup$
Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is
BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.$endgroup$
– jnm2
Apr 15 at 14:01
$begingroup$
Good reminder. I can't use a counter since there is no context saved from one encryption to the next. This is a standalone tool with no central server to house a counter. The only options I know of are fixed nonce (e.g. zeros) and random nonce. The key is 256 bits and encryption will be occasional. The generator is
BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG on Windows and OpenSSL on Unix.$endgroup$
– jnm2
Apr 15 at 14:01
$begingroup$
@jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
$endgroup$
– Tom
Apr 15 at 18:44
$begingroup$
@jnm2 you could use a trivial counter, such as the timestamp (rounded to full seconds or even minutes, if both systems are time-synchronized) or even just the day-of-year (if not and the edge case of one message being not decryptable because it was sent at just the right second doesn't matter). This would already dramatically reduce the chances of a chance repetition.
$endgroup$
– Tom
Apr 15 at 18:44
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68774%2fcan-a-zero-nonce-be-safely-used-with-aes-gcm-if-the-key-is-random-and-never-used%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
