Join Log in
Score:1
krystof18 avatar Crypto

Do I need to change IV in AES-256 GCM when I only use encryption for challenge-response exchange with random string?

ag flag
krystof18

When I want to use encryption only for challenge-response exchange and not for hiding the contents of an encrypted message, is it still a threat to me not changing IV for new encryption?

For easier understanding why I ask this here is my situation:

I'm using two Arduinos with LoRa transceivers to communicate with each other. One is a bridge connected to the internet and the other is connected to servos and sensors.

I don't care if the potential attacker knows that some packet is for example rotating servo to right and another packet is sending data from the humidity sensor to the bridge.

The only thing I care for is that attacker cannot imitate any of these commands so he can't spin my servos and send bad values that don't come from my humidity sensor.

That's why I use challenge-response exchange so that I can verify if my bridge sent the packet and etc.

But there is no way (at least one I know of) for me to exchange IV to the other Arduino, so it can decode the challenge.

My questions are:

Can not changing the IV be in my case somehow exploited? If yes. How and what it means for me?

Is there any better way to do it?

83
0 + 0
aes
Maarten Bodewes avatar
in flag
Maarten Bodewes
CBC-MAC is fine for fixed size messages. You can bring it down to 64 bits if you may run out of space.
0
Reply
kelalaka avatar
in flag
kelalaka
IV is not exchanged, IV is generated locally then transmitted with the ciphertext, usually as $IV|Ciphertext|AuthenticanTag$. IF you don't care that the attacker knows your data, maybe you need only integrity and authentication. You can use simply the HMAC. Keep in mind that the replay attacks might be possible in your case.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
HMAC is supported out of the box it seems, with a recent library. But for CBC-MAC you'll need the legacy CBC mode implementation (and do bit-padding yourself). It might be faster though, it depends a lot on implementation detail. HMAC-SHA-1 should be speedy and secure enough for most purposes.
2
Reply
kelalaka avatar
in flag
kelalaka
And, the more detail of the IV reuse catastrophe of AES/GCM is [here](https://crypto.stackexchange.com/q/26790/18298)
0
Reply
Score:3
Daniel S avatar Crypto
ru flag
Daniel S

You must change the IV every time.

It has been noted in various places (see for example Joux "Authentication Failures in NIST version of GCM" section 3) that a single repeated IV is very likely to give an a attacker the ability to compute authentication tags for themselves. Together with the malleability of counter mode, if the attacker knows the XOR of two responses and the authenticated encryption of one they would then freely be able to forge the other.

As noted in the comments, keyed HMAC provides a very good alternative. A simple challenge response exchange might be:

  • Bridge: "I wish to give you an instruction"
  • Servo: nonce
  • Bridge: command,HMAC(Secret key,nonce|command)

Servo checks the HMAC value against its own computation and, if they are equal, executes the command. Provided that the servo does not repeat nonces and key remains secret, this should work. The nonces can even be from a counter (provided that the counter cannot be forced to repeat).

0 + 0
kelalaka avatar
in flag
kelalaka
Well, actually, a zero IV can be used for a long time with deterministic construction provided that there is no system crush. [NIST already suggests this type of usage](https://crypto.stackexchange.com/q/84357/18298). Still risky for OP and GCM has many pitfalls, the HMAC is better to be used since it has lets pitfalls.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.