You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From Dan Harkins in the call. This could affect the presented limits.
The text was updated successfully, but these errors were encountered:
chris-wood
changed the title
Consider situations where AAD is longer than plaintext
Consider situations where AAD is non-negligible in length compared to the plaintext
Jul 27, 2020
NTP (Network Time Protocol) uses UDP which is easy to forge. It's getting a
layer of authentication which uses AEAD.
The basic NTP packet is 48 bytes. NTS bumps that up to roughly 200. The
client-to-server has no encryption. The server-to-client encrypts roughly 100
bytes.
That 100 bytes is a cookie which also uses AEAD. The cookie contains a
client-to-server and a server-to-client key for the above AEAD so the server
doesn't have to maintain any per-client state. The cookie key is maintained
by the server.
Closing as WONTFIX, since (a) not all published analyses make this distinction between AAD and plaintext length inputs, and (b) assuming AAD is part of the plaintext in practice likely does not have any substantial impact on key update or rotation logic.
From Dan Harkins in the call. This could affect the presented limits.
The text was updated successfully, but these errors were encountered: