chokepoint
commented
10 years ago Thanks for checking out the code. I'll start working on these issues.
Since GCM mode uses a counter IV, could that not also be double tasked to track the sequence of packets? Just trying to find a way to keep the overhead to a minimum.
defuse
I have a hobby of auditing random crypto code I find on github, so I took a look at this one. There are two problems I found:
First, the way it checks if the key has already been generated will lead to unnecessary calls to PBKDF2, which could slow it down a lot:
A random key will have the first byte 0 with probability 1 in 256. For such keys, PBKDF2 will be re-run for every call to encrypt_data.
Second, the same key is used for both directions (from the client to server, and server to client). This makes it possible to re-send one side of the connection's own packets back to itself and it will accept them as though the other client is sending them. Also, there are no sequence numbers, so packets can be re-ordered by the adversary and it will not be detected.
I suggest adding to the disclaimer section that it does not provide message authentication, since to claim message authentication those properties must be satisfied as well.