Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Nonces aren't cryptographically secure random numbers. They merely have to be different for each encryption, which is why even a counter suffices. The problem was, the counter was being incorrectly reset to zero.

  It's just as secure to concatenate a string that is a function of the time of day with the counter.  Another scheme would be to start out with a cryptographically hard number that is incremented each time.


The problem was, the counter was being incorrectly reset to zero.

The counter was being correctly reset to zero. The nonce was being incorrectly not set to non-zero. (In CTR mode, there is a 64-bit nonce which is different for each message and a 64-bit counter which starts at zero for each message and increments as you move through the message.)


You're right in the CTR case; I just default to recommending random nonces because that's what you need for CBC.


And still other times you need secret & random nonces (as for DSA), as Sony learned recently....




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: