- What the algorithm does for you: ensures data is kept confidential and that it cannot be undetectably modified by an attacker
- What the algorithm expects from you: a unique bit of seed data (a nonce) which is never, ever reused (with the same key)
- What happens if you reuse a nonce: complete loss of the confidentiality of your data (provided nonces are reused with the same key). Do NOT let this happen or you are breaking the security of your system
Last active
December 11, 2015 10:59
-
-
Save tarcieri/4590841 to your computer and use it in GitHub Desktop.
Instructions for NaCl's crypto_secretbox
@tonyg: I think its 'just' the confidentiality of the data you reused the nonces for. Taking the two secretboxs and XORing gets you msg1 XOR msg2. Then there's enough redundancy, known structure etc in both text and many data formats that recovery of the two messages is not that hard. This then also lets you recover the keystream, i.e. the bits created from the Salsa cipher. I don't think it can lead to compromise of the key, however. Salsa20 is a stream cipher. You could recover the same information (the keystream) as long as you know that a message contains funnycat.jpg, by XORing that with the ciphertext. Allowing key recovery from the stream would mean that the cipher wasn't secure under Chosen-plaintext attacks.
Also, and I'm less sure about this but they are one time authenticators, so I think that might also let you forge arbitrary valid messages for the same (key, nonce) pair by solving the equation used for constructing the authenticator.
@tarcieri: Might be worth noting that nonces are not required to be secret (unlike the key). e.g. its fine to prepend them to the ciphertext. Also, say that they have to be 24 bytes long (though the exception will soon inform users of that). Add a link to the relevant page on http://nacl.cr.yp.to/ ?
That is, taking two secretboxs with the same (key, nonce) pair in the first paragraph. That property doesn't hold once you change either.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Worth making clear perhaps: loss of confidentiality of which data? Just the ones where the nonce is reused? (IIUC it's worse than that, right? It can lead to key recovery?)