使用 AES-GCM 协议的 nonce/IV 的来源和重要性 [英] Source and importance of nonce / IV for protocol using AES-GCM
问题描述
我正在制作一个使用 AES 加密的数据包(即不是流)的协议.我决定使用 GCM(基于 CTR),因为它提供集成身份验证,并且是 NSA 套件 B 的一部分.AES 密钥使用 ECDH 协商,其中公钥由受信任的联系人签名,作为网络的一部分-使用 ECDSA 之类的信任.我相信我需要一个用于 GCM 的 128 位随机数/初始化向量,因为即使我为 AES 使用 256 位密钥,它始终是一个 128 位块密码(对吗?) 我会阅读 BC 代码后使用 96 位 IV.
I am making a protocol that uses packets (i.e., not a stream) encrypted with AES. I've decided on using GCM (based off CTR) because it provides integrated authentication and is part of the NSA's Suite B. The AES keys are negotiated using ECDH, where the public keys are signed by trusted contacts as a part of a web-of-trust using something like ECDSA. I believe that I need a 128-bit nonce / initialization vector for GCM because even though I'm using a 256 bit key for AES, it's always a 128 bit block cipher (right?) I'll be using a 96 bit IV after reading the BC code.
我绝对没有实现我自己的算法(只是协议——我的加密提供者是 BouncyCastle),但我仍然需要知道如何使用这个随机数而不是自找麻烦.使用相同 DH 密钥的两个人之间使用的 AES 密钥将保持不变,因此我知道不应将相同的 nonce 用于多个数据包.
I'm definitely not implementing my own algorithms (just the protocol -- my crypto provider is BouncyCastle), but I still need to know how to use this nonce without shooting myself in the foot. The AES key used in between two people with the same DH keys will remain constant, so I know that the same nonce should not be used for more than one packet.
我可以简单地在数据包中添加一个 96 位的伪随机数并让接收者将其用作随机数吗?这是点对点软件,数据包可以随时发送(例如,即时消息、文件传输请求等),速度是一个大问题,所以最好不要使用安全的随机数来源.随机数根本不必保密,对吗?还是必须像加密安全"的 PNRG 一样随机?维基百科说它应该是随机的,否则它很容易受到选择的明文攻击——但在这两种说法旁边都有一个需要引用",我不确定这是否适用于分组密码.我真的可以使用一个计数器来计算使用给定 AES 密钥(从 1 开始)发送的数据包数量(与 128 位块数量的计数器分开)吗?显然,这将使随机数可预测.考虑到 GCM 会进行身份验证和加密,这会损害其身份验证功能吗?
Could I simply prepend a 96-bit pseudo random number to the packet and have the recipient use this as a nonce? This is peer-to-peer software and packets can be sent by either at any time (e.g., an instant message, file transfer request, etc.) and speed is a big issue so it would be good not to have to use a secure random number source. The nonce doesn't have to be secret at all, right? Or necessarily as random as a "cryptographically secure" PNRG? Wikipedia says that it should be random, or else it is susceptible to a chosen plaintext attack -- but there's a "citation needed" next to both claims and I'm not sure if that's true for block ciphers. Could I actually use a counter that counts the number of packets sent (separate from the counter of the number of 128 bit blocks) with a given AES key, starting at 1? Obviously this would make the nonce predictable. Considering that GCM authenticates as well as encrypts, would this compromise its authentication functionality?
推荐答案
GCM是具有身份验证的分组密码计数器模式.计数器模式有效地将块密码转换为流密码,因此流密码的许多规则仍然适用.需要注意的是,相同的 Key+IV 总是会产生相同的 PRNG 流,并且重用这个 PRNG 流会导致攻击者通过简单的 XOR 获得明文.在一个协议中,相同的 Key+IV 可以用于会话的整个生命周期,只要模式的计数器不换行(int 溢出).例如,一个协议可以有两方并且他们有一个预先共享的密钥,然后他们可以协商一个新的加密 Nonce,用作每个会话的 IV(记住 nonce 意味着使用 ONLY ONCE).
GCM is a block cipher counter mode with authentication. A Counter mode effectively turns a block cipher into a stream cipher, and therefore many of the rules for stream ciphers still apply. Its important to note that the same Key+IV will always produce the same PRNG stream, and reusing this PRNG stream can lead to an attacker obtaining plaintext with a simple XOR. In a protocol the same Key+IV can be used for the life of the session, so long as the mode's counter doesn't wrap (int overflow). For example, a protocol could have two parties and they have a pre-shared secret key, then they could negotiate a new cryptographic Nonce that is used as the IV for each session (Remember nonce means use ONLY ONCE).
如果您想使用 AES 作为分组密码,您应该查看 CMAC 模式 或也许是 OMAC1 变体.在 CMAC 模式下,仍然适用 CBC 的所有规则.在这种情况下,您必须确保每个数据包都使用唯一的 IV,即 也是随机的.然而,重要的是要注意重用 IV 并没有像重用 PRNG 流那样可怕的后果.
If you want to use AES as a block cipher you should look into CMAC Mode or perhaps the OMAC1 variant. With CMAC mode all of the rules for still CBC apply. In this case you would have to make sure that each packet used a unique IV that is also random. However its important to note that reusing an IV doesn't have nearly as dire consequences as reusing PRNG stream.
这篇关于使用 AES-GCM 协议的 nonce/IV 的来源和重要性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
