-
Hello,
Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Just to clarify: Is your requirement to increment your nonce on a per-block basis (i.e. 16 bytes/128 bits), or on a per-message basis (arbitrary data size)? The latter sounds like a really bad idea, because it almost certainly leads to nonce-reuse and loss of confidentiality if you encrypt multiple messages under the same key. The nonce increment on a per-block basis is just what AES-GCM does internally and you wouldn't need to worry about it when encrypting messages that are larger than 16 bytes.
That is correct. Botan takes the nonces as opaque buffers of bytes. However, internally they are incremented as mandated by the spec. If, in your application, you have to maintain the nonces as integers, you'll have to convert them into byte buffers as you assumed. Here's some code that may be helpful for that. In any case, please be warned: Are you are planning to use the AEAD with the same key for multiple messages? Technically, this is fine, but it requires careful handling of the nonces. If, in any situation, the internal block cipher encrypts different plaintext blocks using the same key/nonce pair, you may be loosing all confidentiality guarantees!! |
Beta Was this translation helpful? Give feedback.
-
Yes, the requirement is for pre-message basis with careful monitoring/tracking of nonces and key changes at appropriate times in order to not have a reuse of the nonce with same key. I understand that AES-GCM / ChaCha20Poly1305 use the nonce and increment it per-block basis and had no plans to mess with Botan's implementation of these algorithms. Thanks for the sample code for the encoding and the confirmation on nonce stored as buffers of bytes. |
Beta Was this translation helpful? Give feedback.
Just to clarify: Is your requirement to increment your nonce on a per-block basis (i.e. 16 bytes/128 bits), or on a per-message basis (arbitrary data size)? The latter sounds like a really bad idea, because it almost certainly leads to nonce-reuse and loss of confidentiality if you encrypt multiple messages under the same key.
The nonce increment on a per-block basis is just what AES-GCM does internally and you wouldn't need to worry about it when encrypting messages that are larger than 16 bytes.
T…