Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid AES-GCM-SIV (?) #4

Open
vbakke opened this issue Sep 15, 2024 · 1 comment
Open

Avoid AES-GCM-SIV (?) #4

vbakke opened this issue Sep 15, 2024 · 1 comment

Comments

@vbakke
Copy link

vbakke commented Sep 15, 2024

First, thank you so much for compiling this list. 😃👍 I just wish I'd found this earlier : )

(EDIT: I found the sentence "So it's important to emphasise that AES-GCM-SIV (and nonce-misuse resistant modes in general) are not a magic invulnerability shield." in the "don't" link. So I will rephrase my whole question.)

I don't find the article at ImperialViolet telling us to avoid AES-GCM-SIV. Even if it isn't such a silvery bullet as many believe. I read the article in support of AES-GCM-SIV, but with a caution note at the end.

Cpmpared to the risk of catastrophic failure of reusing an IV is almost any of the streaming / one-time-pad algorithms, such as CTR, GCM, OCB, Chacha, etc, I regard the SIV alternatives easier to use correctly. (This is a guide for non-expert cryptographers, after all.)

SIV algorithms have one other property that should be mentioned. Encrypting the same value twice will yield the same cipher. This may often be harmful, but is an added bonus when pseudonymization fields in a database. You may still be able to use encrypted values as foreign keys, even if you cannot decipher them.

@vbakke vbakke changed the title AES-GCM-SIV lacks a source Avoid AES-GCM-SIV (?) Sep 15, 2024
@samuel-lucas6
Copy link
Owner

I'm glad you find the guidelines useful. However, there are various inaccuracies and changes I'd like to make, like switching to a pros/cons list for each algorithm rather than trying to rank them. The issue is dedicating the time to researching and then writing everything. This type of project would be better if it was community driven like MITRE ATT&CK, getting updates as the literature evolves and input from people with different experience, except nobody would be willing to do that. There's simply too much literature for one person to cover. You can't be knowledgeable about everything, and you need a work-life balance.

Now AES-GCM-SIV is a tricky one. Misuse-resistant AEADs aren't any easier to use because you should still be using a nonce. Therefore, you can probably just use a nonce-based AEAD with a large random nonce (e.g., XChaCha20-Poly1305, AEGIS-256, a transform for AES-GCM, or similar). Those are more widespread, more efficient, can be made hard to misuse by a library, and don't give you a false sense of security/encourage completely deterministic encryption. The main downside is storage overhead.

In an ideal world, we'd probably just have misuse-resistant AEADs as a precaution. However, the reality is that they're less available and often not required so people don't want to sacrifice performance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants