-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/cipher: add NewGCMWithRandomNonce #69981
Comments
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
This proposal has been added to the active column of the proposals project |
It's unfortunate that we need yet another NewGCM function, but this is at least consistent with the existing API. |
I'm not sure I understand this. Expected by whom?
I agree with you that consistency with the existing API is better. Another thing for crypto/v2 perhaps. 😄 |
Poor wording on my side, reworded to read
What I am trying to convey is that you don't need to think about the nonce, it's just a ciphertext prefix that Seal and Open know about. |
Based on the discussion above, this proposal seems like a likely accept. The proposal is to add the following to
|
Change https://go.dev/cl/624916 mentions this issue: |
With such a low birthday bound for these short random nonces, it seems like it would be worth keeping a use count and defining a distinguished error message that is returned if the same key is used, say, 2^32 - 4096 times, to let the user know that re-keying will be needed "real soon now", as your security is "on the edge" of collapsing. |
It should probably just return an error once it's hit the upper limit. That doesn't really help if you're using two copies of the key, though. |
Could we also support this new boringcrypto has the method:
|
@wadey , please file a separate proposal for that. Thanks!
I don't see how to do this practically... NewGCMWithRandomNonce can't see through the |
No change in consensus, so accepted. 🎉 The proposal is to add the following to
|
Can we make this method compatible with the equivalent BoringCrypto one? BoringCrypto appends the generated nonce to the tag, where as this proposal says it will be prepended to the cipher text instead. |
Change https://go.dev/cl/629175 mentions this issue: |
@FiloSottile , mind weighing in on this? |
The convention is pretty universally to prepend the nonce to the ciphertext. The BoringSSL equivalent, |
We don't expose it as an AEAD yet because the logic for that is complex due to overlap issues. For #69981 we will make a cipher.AEAD wrapper outside the FIPS module, but maybe a v2 interface will make it easier, and then we'll be able to use this method more directly. Updates #69981 For #69536 Change-Id: Id88191c01443b0dec89ff0d6c4a6289f519369d1 Reviewed-on: https://go-review.googlesource.com/c/go/+/624916 Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
NIST SP 800-38D and in particular FIPS 140-3 IG C.H essentially require that AES-GCM nonces be either generated according to an industry protocol (TLS, SSH) or internally at random by the cryptographic module.
This makes somewhat sense, because AES-GCM nonce reuse is catastrophic and common enough. It makes somewhat less sense because AES-GCM nonces are 96 bits, making the birthday bound of messages that can be encrypted with random nonces with low enough (2⁻³²) chance of collisions a mere 2³² (~4.3 billions).
Anyway, we should offer applications a way to comply with the requirement, and wire it up to the appropriate #69536 API.
The simplest proposal I can think of is to copy NewGCM, folding the NonceSize into the Overhead, like #54364.
Do we want to take the opportunity to make the API return a concrete type? #54364 doesn't and to me it feels like it's not worth breaking the pattern yet (or having it not sort next to the other NewGCMs).
This will have the same implementation challenge described in #54364 (comment): since plaintext and ciphertext don't overlap perfectly when the buffer is reused, Seal will need to avoid stepping over itself.
I regret we are growing a bit of a zoo of AEADs with different properties, but I can't see a way around it (and it's in good part due to the fact that we have only had a bunch of imperfect options for decades, each sub-optimal in different ways): we'll have NewGCMSIV, NewGCMWithRandomNonce, and maybe XAES and XChaCha20Poly1305 with automatic nonces, of which NewGCMWithRandomNonce and NewGCMSIV have a low birthday bound, but NewGCMSIV is collision resistant (as in, it degrades to safe deterministic encryption); and then NewGCM (and the WithNonceSize and WithTagSize variants), NewGCMSIVWithNonce, chacha20poly1305.New, and chacha20poly1305.NewX with manual nonces, of which only NewGCMSIVWithNonce is nonce-misuse resistance. We should eventually clean this all up with a v2 API that only provides the safe ones with automatic nonces, probably with a different interface, but not in Go 1.24.
The text was updated successfully, but these errors were encountered: