You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From the Robustness section for AEAD constructions:
If that turns out to be a concern, this can be solved in different ways:
By incorporating a key identifier in the nonce
By including a key identifier in the additional data
By including a 128-bit fixed string in the message and verifying it during the decryption process
The third bullet point is very clear. However, it's less clear how to create a key identifier for the first and second bullet point implementations. The papers on the subject are rather confusing if you're not used to the notation. Please could you explain a suitable method of generating a key identifier in the documentation. Thank you.
The text was updated successfully, but these errors were encountered:
A key identifier is anything that can let your application uniquely identify a key, in a protocol handling key rotation.
This information doesn't have to be secret nor unpredictable. It can be a serial number (even a simple counter) or a random value, although padding to at least 128 bit wouldn't be a bad idea.
If this is confusing, I'd rather remove this from the documentation, especially since papers have been published on that subject.
From the Robustness section for AEAD constructions:
The third bullet point is very clear. However, it's less clear how to create a key identifier for the first and second bullet point implementations. The papers on the subject are rather confusing if you're not used to the notation. Please could you explain a suitable method of generating a key identifier in the documentation. Thank you.
The text was updated successfully, but these errors were encountered: