Comments inline...

On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy <>wrote:

> > - Any specific reason you picked CTR?
> CTR is widely recommended. Cryptography Engineering specifically
> recommends it.

The reason I ask is that this makes your IV-generation more critical than,
say, CBC, XTS, or other modes. If you have an IV collision, you'll leak
some message bits.

How big is the random nonce here, i.e. "sizeof( -
How are message IDs generated?

> > - HMAC verification is vulnerable to a timing attack. Since you're using
>  > CTR, it's that much easier to forge messages.
> I will have to look into this in my Javascript client as well. Do you
> have any recommendations?

Use a timing-independent array
It's an easy fix. I've made the same mistake before, which is why I always
look for it now.
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at or changing your settings at

Reply via email to