2

My system forwards encrypted and/or signed messages on a gossip network. Replay is part of the design. What should I do with the nonce? I'm tempted to just set it to the same number always. Is this a bad idea?

Jehan
  • 374
  • 1
  • 6
  • 2
    the nonce isnt just about replay, if an attacker can force someone to encrypt a very large plaintext, he can then read EVERY ciphertext encrypted with the key – Richie Frame Dec 03 '14 at 06:58
  • Ok, I will keep that in mind. How big must the plaintext be? Is using a GUID a good idea, or must the nonce be secret? – Jehan Dec 03 '14 at 07:00
  • whatever plainext is known or chosen, a nonce reuse will expose any message up to that length. I assume we are talking about a block cipher in CTR mode here – Richie Frame Dec 03 '14 at 07:09
  • Is it bad if an attacker knows the nonce? – Jehan Dec 03 '14 at 07:21
  • in this case they would not need to, and if you fix it it would not be sent, but generally the nonce is sent along with the ciphertext, so the attacker knows it anyway – Richie Frame Dec 03 '14 at 07:56

2 Answers2

2

Nonces must be unique but are not secret. Typically you send it alongside the ciphertext as a prefix. Note that with the asymmetric box, you must not use a nonce that you used in one direction in the opposite direction, since both directions use the same shared symmetric key.

Reusing a nonce is a fatal mistake. It completely breaks the MAC and it leaks the xor of the two plaintexts. This leak is quite severe, if for example both texts are natural language this allows recovery of most words of the messages.

Using a counter or a random value of at least 128 bits are common approaches to generate nonces.

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
2

Yes, it's a bad idea. Take for instance the encryption part, and assume a stream cipher (as used in NaCL). The messages may be unique, but as the stream cipher requires a unique nonce you would loose all confidentiality!

The easiest thing to do is to simply use a (random) nonce even if not strictly required. If you cannot do that because of bandwidth restrictions, use the part that you use to verify that the messages are unique (i.e. that part that prevents replay attacks), hash or HMAC it - if it is too large - and use that as the nonce.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313