frochet
commented
4 years ago The other solution would be to derive new keys/IVs for each streams. However it is unnecessary, and reduce the confidentiality by a factor of the number of streams.
Closed frochet closed 3 years ago
frochet
commented
4 years ago The other solution would be to derive new keys/IVs for each streams. However it is unnecessary, and reduce the confidentiality by a factor of the number of streams.
frochet
commented
3 years ago A few things above were wrong. Long story short, we only need to increment 25 bits (for 96bits IV) and not touching the first 7 bits.
Implemented the logic for 96 bits IVs. A stream created by the client needs to increment the 25 bits by 1. A stream created by the server needs to decrement by 1 (and wrap around).
The current design supports 1 key for all streams, but different IVs
Upon new stream attachment, we need to derive a new symmetric value for the IV (that is, it is the same for the sender side and the receiver side). The current mechanism increases the lower bits of the handshake IV by 4096 (i.e., the maximum number of calls to AES for encrypting/decrypting one record) to avoid a chance for the AES counter to overlap on different messages.
The function stream_derive_new_aead_iv doing this job needs to be debugged (it does not derive a symmetric IV).