[whatwg] PeerConnection: encryption feedback

On Thu, Mar 17, 2011 at 11:07 PM, Adam Barth <w3c at adambarth.com> wrote:
>> But you get this with a per-connection (not per-packet) nonce and CTR's
>> sequence number.  You don't need a unique 16-byte nonce for each packet.
>
> The attacker observes each packet once delivered, so you need a new
> nonce for each packet.

I think you're talking about the attack described in
http://www.openssl.org/~bodo/tls-cbc.txt.  These attacks are against CBC,
the cipher mode used by TLS block ciphers.  That's why TLS 1.1 includes a
separate IV for each packet.  That sort of attack doesn't apply to the CTR
cipher mode, because the contents of blocks don't feed back into the
encryption as they do with CBC.

If each packet does have its own random IV, then the CBC cipher mode should
be used, not CTR.  There may be other reasons to use CBC, as it's used by
both TLS and IPsec, but if so I don't know what they are.

> Then the MAC would fail because we're using encrypt-then-mac.

That works if the MAC includes the entire packet, including not just C (the
encrypted data) but also the packet headers (the sequence number).

-- 
Glenn Maynard

Received on Thursday, 17 March 2011 21:24:05 UTC