How safe is store nonce with encrypted text?

riwasat604

2/6/23, 3:06 PM

I am using AESGCM256 with a nonce of 96 bytes to store keys (very secret information). There are more than 500 keys, the only place where they can be stored in decrypted form is the application RAM.

Now, when the application is launched, the user enters one decryption key and a nonce for each key. This is very uncomfortable, all the nonce are stored separately from the database where the encrypted keys are stored.

Is it safe to store nonce next to encrypted text? For example - nonce + ciphertext . That is, if an attacker has gained access to encrypted data, will it be easier for him to decrypt the keys if he knows the nonce? If not, then why do all libraries separate the nonce from the ciphertext, and not concatenate it?

0 + 0

nonce

aes-gcm

kelalaka

2/6/23, 3:33 PM

Does this answer your question? [What is the main difference between a key, an IV and a nonce?](https://crypto.stackexchange.com/questions/3965/what-is-the-main-difference-between-a-key-an-iv-and-a-nonce). Where did you see that they all are separating? You should say the libraries that I see ( with some lists) sperates...

riwasat604

2/6/23, 4:01 PM

@kelalaka https://pkg.go.dev/crypto/cipher#AEAD.Open and this example - https://gist.github.com/kkirsche/e28da6754c39d5e7ea10

kelalaka

2/6/23, 4:18 PM

They are just examples of simple AES-GCM encryption. Nothing is serious. The only plausible reason is that they fear the IV/nonce-reuse of [AES-GCM](https://crypto.stackexchange.com/q/84357/18298) which can cause loss of confidentiality and [forgeries](https://crypto.stackexchange.com/a/68525/18298). They may query the nonce/IV column to mitigate this. Instead one can use [AES-GCM-SIV](https://crypto.stackexchange.com/q/82105/18298) mode or [XChaCha20](https://crypto.stackexchange.com/a/87347/18298)-Poly1305 as a better alternative, 192-bit nonces.

riwasat604

2/6/23, 7:52 PM

@kelalaka But if I store the nonce together with the decryption key, and not concatenate it with the encrypted text, then it will be much more difficult for a hacker to hack the secret data?

riwasat604

2/6/23, 8:00 PM

Is storing the nonce separately from the ciphertext for greater security a bad practice?

kelalaka

2/6/23, 8:00 PM

The nonce doesn't mean to be secret. There is no secrecy on it. Just use a Master key and derive them? have you ever heard of password managers? Simply user have one strong master password ( possibly dicewire) and using HKDF to derive the master key, using this master key decrypt other keys and use them.

kelalaka

2/7/23, 7:53 AM

You might be interested in this; [Is it dangerous to encrypt lots of small files with the same key?](https://crypto.stackexchange.com/a/84440/18298)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How safe is store nonce with encrypted text?

TH: การจัดเก็บ nonce ด้วยข้อความที่เข้ารหัสปลอดภัยแค่ไหน?

RO: Cât de sigur este stocarea nonce cu text criptat?

RU: Насколько безопасно хранить одноразовый номер с зашифрованным текстом?

VI: Lưu trữ nonce với văn bản được mã hóa an toàn đến mức nào?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.