Re: [Cfrg] Request For Comments: OCB Internet-Draft

[Steven Bellovin <smb@cs.columbia.edu>]

On Jul 15, 2011, at 12:45 06PM, Ted Krovetz wrote:

> 
>> If you know how "partial" that is, it would be useful for the draft.
> 
>> Ted, I think you can be rather more specific. 
> 
> 
> In my opinion the point of the nonce-reuse warning is to impress upon security engineers that catastrophe strikes if a nonce is reused during encryption, and so they should make nonce reuse impossible. If nonce reuse is impossible, then it is irrelevant how bad the damage is when nonces are reused.
> 
> RFC writers need to walk a fine line: RFCs are primarily a description of technology, but should include enough high-level context to inform against poor usage. I think the current warnings on nonce reuse do this, but if you can suggest a scenario where the current advice is being heeded and yet it is still useful to know how bad not heeding it would be, I'm open to adding some quantifications.
> 
> It may be worth adding a few paragraphs to the OCB paper describing and quantifying the damage, but I'm a bit reluctant to do so in the ID.

Also give a reference to a paper that gives more details.

Beyond that, both this issue and the bound on plaintext suggest that
this mode SHOULD NOT be used with manual key management.  You should
say that explicitly, perhaps with a reference to 4107.

Devices that lose dynamic state on reboot -- and in particular, lose
state about which nonces have been used -- are particularly vulnerable
here; this merits an extra warning, especially because many WEP
implementations have fallen victim to precisely this problem.  See
http://www.cs.berkeley.edu/~daw/papers/wep-mob01.pdf for details.


		--Steve Bellovin, https://www.cs.columbia.edu/~smb