Comments inline... On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy <sean.a.cass...@gmail.com>wrote:
> > - Any specific reason you picked CTR? > CTR is widely recommended. Cryptography Engineering specifically > recommends it. > The reason I ask is that this makes your IV-generation more critical than, say, CBC, XTS, or other modes. If you have an IV collision, you'll leak some message bits. How big is the random nonce here, i.e. "sizeof(dp.id.id) - blen<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-84>"? How are message IDs generated? > > - HMAC verification is vulnerable to a timing attack. Since you're using > > CTR, it's that much easier to forge messages. > > I will have to look into this in my Javascript client as well. Do you > have any recommendations? Use a timing-independent array comparison<http://rdist.root.org/2010/01/07/timing-independent-array-comparison/>. It's an easy fix. I've made the same mistake before, which is why I always look for it now.
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech