[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Cfrg] Re: how to guard against VM rollbacks
On 1/10/07, Wei Dai <weidai at weidai.com> wrote:
If random nonces are used, care must still be taken to guard against rollbacks. At a minimum, the nonce must be randomly generated *after* the message to be encrypted and/or authenticated has been fixed. This way, if nonce reuse occurs due to a rollback, it will be reused only with the same message that it was used with previously, which should be safe.
I should add that this advice also applies to cryptographic schemes that use randomness that's not in the form of external nonces. For example, when using DSA, the practice of precomputing g^k mod p should be abandoned, and the random number k should be generated only after the message to be signed has been fixed.
_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg