ISSUE-52: Should the nonce, IV, and associated data be separated?

DYNAMIC NONCE

Should the nonce, IV, and associated data be separated?

State:
CLOSED
Product:
design for Web Crypto API
Raised by:
Harry Halpin
Opened on:
2013-09-30
Description:
The API should be suggestive of the right use.

The encrypt interface seems to be missing some key parameters. For symmetric encryption I would suggest expanding it to

Promise<any> encrypt(AlgorithmIdentifier algorithm,
Key key,
Nonce nonce,
sequence<CryptoOperationData> associatedData);
sequence<CryptoOperationData> cleartextData);

As is, the Nonce and associatedData arguments are missing. As a result,
in several modes the IV and associatedData are given as parameters to the
algorithms. I worry that this will confuse developers into thinking that
the IV and associatedData are set once when the key is initialized and
never changed again. But both, especially the nonce, will need to be
different for every message. At least if it is being passed in it would suggest to the developer that the nonce would be changed.

Similarly, AES-GCM decrypt will need to take as input the ciphertext *and*
associatedData. Would associatedData always be given as an algorithm
parameter? (Dan Boneh)

at least if it is being passed in it would suggest to the developer that the nonce would be changed.

http://lists.w3.org/Archives/Public/public-webcrypto/2013Sep/0055.html
Related Actions Items:
No related actions
Related emails:
  1. crypto-ISSUE-52 (DYNAMIC NONCE): Should the nonce, IV, and associated data be separated? [design for Web Crypto API] (from sysbot+tracker@w3.org on 2013-09-30)

Related notes:

No additional notes.

Display change log ATOM feed


Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 52.html,v 1.1 2017/02/13 16:16:53 ted Exp $