2

I'm implementing AES-GCM in a simple chat. Since there is no problem in the nonce being public and I need to change it in every message, can I send the message nonce unencrypted with the message itself?

An example:

There is a function like this:

AESGCM(nonce, key, data_to_encrypt, unencrypted_data)

And I use this way:

message = AESGCM(nonce, key, data, nonce)

Then, the encrypted message will look like this:

unencrypted_nonce | encrypted_data | authentication_tag
Leonardo Nobrega
  • 38
  • 1
  • 5

1 Answers1

2

The AES-GCM documentation mentions nonce 3 times;

A value that is used only once within a specified context.

The IV is essentially a nonce

AESGCM(nonce, key, data, unencrypted_data)

The AES-GCM internally uses AES in CTR mode of operation, CTR mode turns a block cipher into a stream cipher. For the AES-GCM security and the CTR mode a nonce ( number used once) must be used only once per key. A nonce-key pair should only occur once. If a nonce repeats this can cause

  1. Confidentiality fails due to the crib-dragging like all stream ciphers.
  2. Even a single AES-GCM nonce reuse can be catastrophic.

The nonce can be randomly generated, however, a counter/LFSR based solution is better, and a better one is the combination.

  • If you send the nonce encrypted how do you expect to decrypt the message. It must be sent unencrypted.
kelalaka
  • 5,064
  • 5
  • 27
  • 44
  • My doubt is if I can send the nonce unencrypted with the encrypted data – Leonardo Nobrega Oct 09 '18 at 13:14
  • 1
    That is the point. Then why not encrypt the IV used to encrypt the old IV? As explained (the IV can be known to an attacker without breaking security.)(https://crypto.stackexchange.com/questions/5094/is-aes-in-cbc-mode-secure-if-a-known-and-or-fixed-iv-is-used?noredirect=1&lq=1) you don't increase the security. – kelalaka Oct 09 '18 at 14:02