AES use same Nonce security risk?

When using AES-GCM, using the same nonce and key pair for multiple messages is catastrophic. You lose all of the security guarantees AES is supposed to provide. This is the worse possible scenario you could create. It is critical when using AES-GCM that the nonce is never repeated for any given key. The best way to ensure this is to use a cryptographically strong PRNG to generate a new 96-bit nonce for each message, and to re-key at reasonably regular intervals, where "reasonably regular" is defined by how much data and how many messages you're encrypting.


AES-GCM is an authenticated stream cipher.

The nonce will be used for the key of the stream cipher, and the first rule of stream ciphers is you don't talk about stream cipher never use the same key/IV twice.

Ignoring this rule leads to catastrophic failures in encryption.

On the other hand, the nonce will also be used to prevent "replay" attacks on the authentication part of the cipher. So even if you magically avoided directly weakening the cipher by reusing the nonce, you'd still be weakening authentication and consequently the cipher.


Please refer to NIST publicaton SP 800-38A for details regarding the best practices for using an 'nonce' as an IV.

There are two recommended methods for generating unpredictable IVs. The first method is to apply the forward cipher function, under the same key that is used for the encryption of the plaintext, to a nonce. The nonce must be a data block that is unique to each execution of the encryption operation. For example, the nonce may be a counter, as described in Appendix B, or a message number. The second method is to generate a random data block using a FIPS approved random number generator.

In regards to AES-GCM mode (Galois/Counter Mode); as quoted from the NIST published paper from David A. McGrew & John Viega.

The primary purpose of the IV is to be a nonce, that is, to be distinct for each invocation of the encryption operation for a fixed key. It is acceptable for the IV to be generated randomly, as long as the distinctness of the IV values is highly likely.

And of course the obvious obligatory definition of an nonce.

Tags:

Aes

Nonce