Skip to content

Incorrect IV Initialisation for AES-256-GCM and Constraints on the Number of Invocations #7

Open
@harrison-tc

Description

@harrison-tc

The current implementation does not follow NIST Special Publication 800-38D, in particular Section 8.2 IV Constructions and 8.3 Constraints on the Number of Invocations regarding the secret key.

To mitigate 8.2: IVs can be converted to deterministic construction per 8.2.1.
To mitigate 8.3: Temporary IDs should use an ephemeral key derived from the secret key and uid values, so that the same key is not used for more than 2^32 operations.

The current implementation may permit an adversary to fabricate IDs or Upload Tokens, if they collect duplicated IVs or more than 2^32 encryption operations are performed against the same key.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions