IETF Logo Mail Archive

RE: [Cfrg] how to guard against VM rollbacks

"Wei Dai" <weidai@weidai.com> Thu, 01 February 2007 16:54 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HCfCo-0006hS-7z; Thu, 01 Feb 2007 11:54:38 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HCfCm-0006hJ-Oh for cfrg@irtf.org; Thu, 01 Feb 2007 11:54:36 -0500
Received: from py-out-1112.google.com ([64.233.166.177]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HCfCY-0001QI-FE for cfrg@irtf.org; Thu, 01 Feb 2007 11:54:36 -0500
Received: by py-out-1112.google.com with SMTP id a73so302033pye for <cfrg@irtf.org>; Thu, 01 Feb 2007 08:54:22 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language:sender; b=RrB8TlLXMffRQmuhsHAz+u8oOcjVQgT/tEelxyboHzFrrlGExnHbOcoaMLxYJPDMigRZkWQ2fjH6McqwhW/jrkkNAD5xI0qEnKA0Fw0vU1C+ha5KOd56iuzzUHFNkB8hUaVXTxe4MAMBw8Uv+1xfscnm4M0vAxVL62MDeNhFSUY=
Received: by 10.35.54.1 with SMTP id g1mr4562612pyk.1170348862020; Thu, 01 Feb 2007 08:54:22 -0800 (PST)
Received: from weidaim1 ( [61.149.29.60]) by mx.google.com with ESMTP id 38sm10981293nza.2007.02.01.08.54.19; Thu, 01 Feb 2007 08:54:21 -0800 (PST)
From: Wei Dai <weidai@weidai.com>
To: 'pgut001' <pgut001@cs.auckland.ac.nz>, cfrg@irtf.org
References: <09e601c73607$f73d7720$0300a8c0@weidai.com> <E1HBq5A-00022a-00@medusa01.cs.auckland.ac.nz>
In-Reply-To: <E1HBq5A-00022a-00@medusa01.cs.auckland.ac.nz>
Subject: RE: [Cfrg] how to guard against VM rollbacks
Date: Fri, 02 Feb 2007 00:54:09 +0800
Message-ID: <000c01c74621$9bba6e60$d32f4b20$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcdEWCHnKOTogPE5QJqo9OHp3braUAByFNYw
Content-Language: en-us
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581
Cc:
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Peter wrote: 
> Several *theoretical* suggestions have been posted.  I haven't really
> seen
> anything that'll work in practice.

There have been several specific and practical suggestions, but they were
spread over several messages in the discussion. I'll summarize here:

1. Use random IVs instead of counter or state-derived IVs.

2. For any crypto scheme that uses random numbers or IVs, generate the
random numbers/IVs after the message to be encrypted and/or authenticated is
fixed.

3. Use the operating system's secure RNG to generate these random
numbers/IVs and hash in the current time and/or the message to make sure
random numbers are not reused on different messages.

4. As an alternative to 1-3 above, switch to a crypto scheme such as SIV
that is specifically designed to tolerate nonce reuse.


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email