Re: aes128gcm: why verify padding?

On Fri, Jan 27, 2017 at 01:50:15AM +0000, Manger, James wrote:

> I was hoping for an anti-truncation mechanism that didn't depend in a
> not-completely-obvious-to-me manner on a seemingly quite separate aspect:
> the KDF. For instance, even with no KDF (for key or nonce) having a byte
> distinguishing start/middle/end would be sufficient to authenticate you
> have received an authentic prefix or suffix or complete message.

Actually, if you don't use KDF to obtain the nonce base together with
the key, attacker can corrupt messages unless you actually verify that
the start block is in its proper place.

This is because if attacker can choose noncebase, attacker can reorder
the blocks so all decrypt properly.

Using KDF prevents this because attacker can't produce suitably
related noncebase pairs for the same key



-Ilari

Received on Friday, 27 January 2017 07:21:18 UTC