为什么对AES-CBC随机IV罚款,但对AES-GCM却不罚款 [英] Why is random IV fine for AES-CBC but not for AES-GCM
问题描述
我一直在使用AES-CBC进行加密,每次加密纯文本时都使用随机IV。据我所知,这是推荐的方法。
I have been using AES-CBC for encryption and I use a random IV each time I encrypt plain text. As far as I can tell, this is the recommended approach.
我一直在研究AES-GCM / AES-CTR,主要用于AEAD。我还没有实现任何东西,但是从我读到的所有内容来看,基本上随机数只是一个短IV,并且每个加密调用都有一个内部计数器。开发人员需要在32位计数器循环返回之前确保现时更改,否则,可能将同一个现时(IV)与相同的密钥一起使用,这可能会加密相同的纯文本并泄露该加密密钥。
I have been looking into AES-GCM / AES-CTR, primarily for the AEAD. I have not yet implemented anything with this but from everything I have read, basically the nonce is just a shorted IV and there is an internal counter that is used for each encryption call. The developer / needs to make sure the nonce changes before the 32 bit counter cycles back, otherwise the same nonce (IV) is potentially used with the same key which could encrypt the same plain text and leak the encryption key.
我真正不明白的是为什么AES-CBC可以通过随机IV很好,但是我读到的一些内容表明AES-GCM的随机随机数(IV)不好理念。我唯一能想到的是AES-CBC的IV比AES-GCM的随机数更长,因此对于AES-GCM,重复的随机数的可能性更大。
What I don't really understand is why can AES-CBC be fine with a random IV but some of what I have read indicates a random nonce (IV) for AES-GCM is a bad idea. The only thing I can think of is the that IV for AES-CBC is longer than the nonce for AES-GCM so the likely hood of duplicate nonce is greater for AES-GCM.
我需要加密从几个字节到10-20 GB的数据。我知道AES-GCM在计数器周期之前可以加密的数据大小(〜60GB)有所限制。因为我的数据低于此限制,所以我可以绕开这个限制。
I need to encrypt data that is anywhere from a few bytes to 10 - 20 GB. I know AES-GCM has a limit to the size of data (~60GB) that it can encrypt before the counter cycles. I can get around this limitation since my data is below this limit.
有人可以阐明为什么不建议对AES-GCM建议使用随机随机数吗?
Can someone shed some light on why a random nonce is not suggested for AES-GCM?
推荐答案
GCM基于CTR模式,并且如果随机数与现用符号一起重用,它将继承多次填充(或两次填充)问题。相同的键(非常好的示例)。如果IV以CBC模式重用,那么观察者唯一能检测到的就是消息前缀的相等性。
GCM is based on CTR mode and inherits the many-time pad (or two-time pad) problem if a nonce is reused with the same key (very nice example). If the IV is reused in CBC mode, then the only thing that an observer can detect is the equality of message prefixes.
观察者可以检测到先前发送的消息以CBC模式再次发送,这可能不会给他们太多帮助,但是CTR可以使他们推断出内容的能力。如果知道有关内容结构的一些信息,则会显示一条消息。
An observer can detect that a previously sent message is sent again with CBC mode, which might not give them much, but CTR provides them with the ability to deduce the contents of a message if the some information about the structure of the content is known.
用于AES-GCM模式的随机数预计为96位长。如果您随机生成随机数,则预计会在2 n / 2 = 2 48 消息后生成重复的随机数(请参阅生日问题)。也就是说,如果您使用相同的密钥生成了2 48 个加密消息,则生成重复随机数的概率为50%。这是很多消息,但它可以更早发生。
A nonce for AES-GCM mode is expected to be 96 bit long. If you're generating nonces randomly, then you are expected to generate a duplicate nonce after 2n/2=248 messages (see Birthday problem). That is, the probability of generating a duplicate nonce is 50% if you generated 248 encrypted messages with the same key. That is quite a lot of messages, but it can happen earlier.
这篇关于为什么对AES-CBC随机IV罚款,但对AES-GCM却不罚款的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
