doutangkao2789 2011-10-05 20:46
浏览 199
已采纳

如果我在协议中使用nonce,那么IV仍然需要是随机的吗?

I am creating a protocol which tries to 'store' symmetric key sessions for later. I store three things: the session_id (public), symmetric_key (private), and counter/nonce (private). With every transmission, the session_id is transmitted in the clear and used to lookup the symmetric_key. The symmetric key is used to decrypt the data. The data contains a hash(sha256) which is used to verify message contents. Then, I extract the nonce from the contents and check that it matches the stored nonce. If it does i increment the stored nonce by 1. Otherwise, the packet is fake and I toss it. Currently, I use the nonce as the IV for the symmetric_key. Is this an error? Must I use a completely random IV? Lastly, If I do use a random IV, then how do I transmit more than once? Do I need to renegotiate a new key? I am using the mcrypt library to do this.

To be clear, the client is sending: [nonce + data + hash(data+nonce)]encrypted + session_key

Thanks!

  • 写回答

2条回答 默认 最新

  • dongqiulei6805 2011-10-13 20:11
    关注

    I will restrict my answer to the use of random IV. I assume that you are using Cipher Block Chaining (CBC) mode that requires an IV.

    Note that that the IV is not encrypted (as the receiving party needs that for decrypting the first block of data) and so if you are using nonce as the IV, instead of saying [nonce + data + hash(data+nonce)]encrypted it is more precise to say nonce + [data + hash(data+nonce)]encrypted, where + denotes concatenation.

    RFC 2451 "The ESP CBC-Mode Cipher Algorithms" says "The IV MUST be chosen at random. Use of a randomly generated IV prevents generation of identical ciphertext from packets which have identical data that spans the first block of the cipher algorithm's blocksize."

    In addition to being random, the IV should also be unpredictable. The earlier practice of using the last ciphertext block of the previous message as IV --- which though random is predictable --- is flawed. This flaw, however, is of concern to you only if the adversary can mount a chosen plain text attack. That is, if the attacker can send chosen plain text to be encrypted and be able to see the result. Obviously, a nonce, while unique, is predictable.

    It is better to use a random IV. You can seed a PRNG and generate IVs and conservatively re-seed well before the sequence repeats. When re-seeding, it is also good idea to use key-exchange and change the symmetric key. This will ensure that for a given key you never use the same IV twice.

    For more info on chosen plain text attack, see Why is using a Non-Random IV with CBC Mode a vulnerability?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题