I have drawn some diagrams illustrating the idea of proccessing AD exactly in the same way than the cryptogram. This approach fixes the flaw identified by Daniel Bleichenbacher in the initial draft design of the three ++æ v2 candidates that allowed to replace sequences of 3 AD blocks with the form ...||X||Y||Y||... by just ...||Y||X||X||...
This new approach would provide the same integrity security for AD than for the cryptogram sequence.
Moreover, the sequence numbering / nonce used for session resynchronization has been eliminated and the candidates operate purely in stateful mode. This way operation is simplified and it is made robust against any counter / nonce misuse. The paid price is that in order to resynchronize both communicants it is required to set a new session key.
No hay comentarios:
Publicar un comentario