[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] how to guard against VM rollbacks

To: "Wei Dai" <weidai at weidai.com>
Subject: Re: [Cfrg] how to guard against VM rollbacks
From: "Hal Finney" <hal.finney at gmail.com>
Date: Wed, 10 Jan 2007 09:50:05 -0800
Cc: cfrg at irtf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OQPhlWvh3F53+15PSUVghzA3MqL8V1uAK3l6bO713ncqfMzj2EfkSKWt6dvl7Q5bE4J0nIQcnagIf3KNtM6urQ7h8+dBWtDscEVLaYrINd8tQ7CRVHfXWTxv25pNUOaUWnU4vAE5quKlhwQLioAdv1BhU0H0Gaf6DwhyrJYxi1g=
In-reply-to: <ec22d0e20701100620t37e77e70mda14d1c73930731@mail.gmail.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <ec22d0e20701100620t37e77e70mda14d1c73930731@mail.gmail.com>

On 1/10/07, Wei Dai <weidai at weidai.com> wrote:

If random nonces are used, care must still be taken to guard against rollbacks. At a minimum, the nonce must be randomly generated *after* the message to be encrypted and/or authenticated has been fixed. This way, if nonce reuse occurs due to a rollback, it will be reused only with the same message that it was used with previously, which should be safe.


Even with a random nonce there could be duplication if the OS RNG
state does not get changed from the time the rollback occurs until the
RNG is queried for the nonce. (Here I am assuming that the RNG is part
of the virtualized OS and not a global resource.) Note that some RNGs
buffer entropy and do not add it to the main RNG state until a certain
amount of estimated entropy has been acquired, to avoid state
following attacks. That will increase the window of vulnerability to
this problem. Nonce duplication could be avoided by creating the nonce
as a hash of RNG data and the message being hashed, to achieve the
condition that nonce reuse would only happen with the same message.

This issue could especially be a problem for counter mode encryption,
where reuse of the counter initial value will largely destroy secrecy
guarantees. Something like CBC tends to be more robust to IV reuse and
still gives you an ECB-like level of security when it happens.

Hal Finney

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] how to guard against VM rollbacks
  - From: Wei Dai

References:
- [Cfrg] how to guard against VM rollbacks
  - From: Wei Dai

Prev by Date: [Cfrg] Re: how to guard against VM rollbacks
Next by Date: [Cfrg] how to ensure unpredictability (or non-repeatingness) in the presence of restarts or rollbacks
Previous by thread: [Cfrg] Re: how to guard against VM rollbacks
Next by thread: Re: [Cfrg] how to guard against VM rollbacks
Index(es):
- Date
- Thread