The way I read the first draft, the wording made it sound like "nonce" was a contraction of the words "(N)umber used (once)". I thought I learned something. Then I looked it up, and unfortunately, that is not the case, as cute as it would be.
That is the problem with the wording. Even if a nonce is number that is only used once, the word is not derived from omitting letters from the phrase, so we shouldn't mislead people into believing that. Removing the scare quotes is sufficient to prevent this misunderstanding. On Sun, May 15, 2016 at 7:23 PM, Joseph Salowey <j...@salowey.net> wrote: > > On Sun, May 15, 2016 at 11:43 AM, Rick van Rein <r...@openfortress.nl> > wrote: > >> Hi, >> >> > I think the erratum needs an erratum. Firstly, "nonce" doesn't mean >> "number >> > used once", and secondly nonce re-use in AES-GCM doesn't just result in >> > "catastrophic failure of it's authenticity", it results in catastrophic >> > failure of the entire mode, both confidentiality and >> integrity/authenticity. >> >> I'd like to add that I don't see a difference between a "failure" and a >> "catastrophic failure". It's probably better to stay away from subjective >> words like that. >> >> > [Joe] It would be better to state what actually fails: > > "Nonce re-use in AES-GCM allows for the recovery of the authentication > key resulting in complete failure of the mode's authenticity. Hence, TLS > sessions can be effectively attacked through forgery by an adversary. > This enables an attacker to inject data into the TLS allowing for XSS and > other attack vectors. " > > > >> -Rick >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
