search

blur-network / blur

The Blur Network is a privacy-oriented peer-to-peer network, built upon the premise that privacy is incompatible with centralization. BLUR employs a custom mining algorithm called CryptoNight-Dynamic. Iterations adjust approximately once every five seconds, with a goal of maintaining CPU advantages over specialized mining hardware.
https://blur.cash
Other
44 stars 19 forks source link

ChaCha20Poly1305: Nonce is not incremented above 2^70, allowing for inadvertent reuse #56

Open who-biz opened 5 years ago

who-biz commented 5 years ago

This is security-breaking behavior, potentially. Simply generating a random nonce each time is not sufficient in this scenario. We need to use a counter as well, to ensure that we don't use a given nonce + MAC key more than once for the same encrypted information.

This takes place here: https://github.com/blur-network/blur/blob/master/src/crypto/chacha.c#L142 And has relevance here: https://github.com/blur-network/blur/blob/5971fe6b788282ba02dc0af4e07fa77c2cdda158/src/wallet/wallet2.cpp#L3997 ... among other places, too.

For the implications of what this inadvertent reuse could result in, see: https://github.com/miscreant/miscreant/wiki/Nonce-Reuse-Misuse-Resistance

This was mentioned as a prospective change in #53

who-biz commented 5 years ago

Why don't we place a hard stop at 2^70 at this point? If we can't securely encrypt data larger than that (limitation of chacha20), or if it never happens ... why not place a stop there instead of making it a user's responsibility?

Edit: Need to look into difficulty calculations, as this has probably the most relevance there, where we frequently deal with larger than 70-bit numbers.