Hi, On May 15, 2016 10:28, "Peter Gutmann" <pgut...@cs.auckland.ac.nz> wrote: > > RFC Errata System <rfc-edi...@rfc-editor.org> writes: > > >The following errata report has been submitted for RFC5288, "AES Galois > >Counter Mode (GCM) Cipher Suites for TLS". > > I think the erratum needs an erratum.
No problem, but: >Firstly, "nonce" doesn't mean "number > used once", and secondly nonce re-use in AES-GCM doesn't just result in > "catastrophic failure of it's authenticity", it results in catastrophic > failure of the entire mode, both confidentiality and integrity/authenticity. > What do you think nonce stands for? https://en.wikipedia.org/wiki/Cryptographic_nonce In TLS nonce reuse allows us to attack the authentication key of GCM. Not the actual master secret. There's no direct break of the confidentiality, just authenticity (and thus integrity). For HTTPS this allows us to inject content which then may lead to a compromise of the session confidentiality. Maybe I misunderstood what you meant. Aaron > Peter. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
