search

jedisct1 / libsodium-doc

Gitbook documentation for libsodium
https://libsodium.org
ISC License
166 stars 159 forks source link

AEAD robustness implementation examples #125

Closed samuel-lucas6 closed 3 years ago

samuel-lucas6 commented 3 years ago

From the Robustness section for AEAD constructions:

If that turns out to be a concern, this can be solved in different ways:

  • By incorporating a key identifier in the nonce
  • By including a key identifier in the additional data
  • By including a 128-bit fixed string in the message and verifying it during the decryption process

The third bullet point is very clear. However, it's less clear how to create a key identifier for the first and second bullet point implementations. The papers on the subject are rather confusing if you're not used to the notation. Please could you explain a suitable method of generating a key identifier in the documentation. Thank you.

jedisct1 commented 3 years ago

A key identifier is anything that can let your application uniquely identify a key, in a protocol handling key rotation.

This information doesn't have to be secret nor unpredictable. It can be a serial number (even a simple counter) or a random value, although padding to at least 128 bit wouldn't be a bad idea.

If this is confusing, I'd rather remove this from the documentation, especially since papers have been published on that subject.

samuel-lucas6 commented 3 years ago

That makes sense. I assumed it was referring to deriving some sort of subkey before.