Bad practices all around
Bad practices all around
Posted Jul 10, 2024 19:47 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)In reply to: Bad practices all around by anmoch
Parent article: Offload-friendly network encryption in the kernel
Yes? I kinda don't understand the point?
The only problem with long-lived connections in TLS/PSP is that AES-GCM is weak against nonce reuse. If you can find two different messages encrypted with the same nonce, then you will be able to forge GCM signatures, although you won't be able to decrypt messages.
This is mostly a theoretic attack. The nonce length is just 96 bits, so if you use random nonces, you start having an appreciable risk of collision after around 2^48 messages transmitted (so at least around after 2^56 bytes, in reality even more). And if you use incremental nonces instead of random ones, you are not at risk at all.