top | item 47109700

(no title)

tux3 | 7 days ago

Right, but AES is a primitive used in a lot of protocols, and they might need to do something different with the IV. The source of randomness is also traditionally something that people want control over, because some platforms can have terrible randomness.

Even high-level libraries like crypto_secretbox still take the nonce separately. They do have a combined mode that prepends the authentication code to the cipher text, and most people who just want to encrypt something should probably look at a higher-level interface like this one instead of directly using raw AES libraries.

That being said, providing an interface where the IV is optional and the default value is a constant instead of random is still insane. That wouldn't be out of place in some Underhanded Crypto Contest where the goal is to create subtle bugs.

discuss

pseudohadamard|6 days ago

The problem isn't just the code, it's the use of incredibly brittle but eminently fashionable modes like GCM and CTR, and algorithms like ChaCha20 that only work in CTR mode. Older modes like CBC are pretty abuse-resistant, repeat an IV or use an all-zero IV and the whole thing is very lightly less secure while with something like GCM you get a catastrophic failure of security. And if you use CBC+HMAC you typically get key separation as an inherent property of the setup. The solution isn't to gaze into the middle distance and say "well everyone should just use SIV" (which has problems of its own) but to default to safer modes that don't fail catastrophically when used in the straightforward, obvious way.