Giriş
Açıklaması şöyleCTR mode was introduced by Whitfield Diffie and Martin Hellman in 1979AES CTR modda çalışabilir. Veriyi padlemez, veri ile aynı büyüklükte çıktı verir. Bu yüzden Stream Cipher olarak sınıflandırılır.
TLS ve CTR
Açıklaması şöyle. TLS 3 tane CTR mode cipher'a sahip.
+------------------------------+-------------+
| Description | Value |
+------------------------------+-------------+
| TLS_AES_128_GCM_SHA256 | {0x13,0x01} |
| | |
| TLS_AES_256_GCM_SHA384 | {0x13,0x02} |
| | |
| TLS_CHACHA20_POLY1305_SHA256 | {0x13,0x03} |
| | |
| TLS_AES_128_CCM_SHA256 | {0x13,0x04} |
| | |
| TLS_AES_128_CCM_8_SHA256 | {0x13,0x05} |
+------------------------------+-------------+
Tercih Etmeyin
Açıklaması şöyle. Bu sıkıntıyı CBC ile aşabilsek te yine de CBC tercih edilmemeli.Esas sıkıntı şifrelenen verinin değişmesi durumunda CTR'nin tesbit edememesi. Aslında aynı sıkıntı CBC modunda da var. Açıklaması şöyle.Schneier and Ferguson initially recommended CTR mode, but switched to recommending CBC mode due to potential difficulties in ensuring that the counter was never re-used with a key.
Its main drawbacks are that:1. it does not protect message integrity (and in fact allows an attacker to easily flip arbitrary bits in an encrypted message without having to decrypt it), and2. it may leak plaintext if a counter block is ever reused; in particular, CTR mode encryption requires a unique nonce input that absolutely must not be reused for two different messages encrypted with the same key.
Bu yüzden bu mod yerine GCM daha çok tercih ediliyor. Açıklaması şöyle
You can prevent this by using a message authentication system like HMAC or, even better, an authenticated encryption mode like GCM, which functions like CTR mode but also authenticates the data and thereby makes it impossible to change the ciphertext without being detected.
Nonce/IV
Nonce ve IV farkının açıklaması şöyleBu modda IV'nin unique olması gerekir. Genellikle IV için bir sayaç tutulur ve bir artırılarak kullanılır. IV bir önceki bloğun çıktısı olmadığı için her blok birbirini beklemek zorunda kalmaz. Böylece CTR paralel çalıştırılabilir. CTR yöntemi ECB mod kullanılarak yapılabilir. Açıklaması şöyle.If the IV is a nonce, that means it is a number used once (eg CTR mode).
You can implement CTR mode if all you have is ECB. All you have to do is use ECB to encrypt the successive counter values and use the resulting ECB-ciphertext as the CTR keystream to xor with the actual plaintext you want to encrypt.
Nonce Reset Saldırısı
Nonce reset saldırısı ile ilgili açıklama şöyle.
In many ciphers, a key is used to produce a series of ones and zeros that are xor'd with the data to produce an encrypted value. This string of ones and zeros is known as the keystream. If you are able to reuse a nonce and the keystream isn't altered based on the content of previous plaintext blocks, then you can look for known packets to appear in the content. When these known packets occur, you will see a predictable pattern occur and will be able to determine that you know that portion of the keystream.
By repeating the process, you eventually can gain more and more knowledge of the keystream and can then read or manipulate anything found on a known portion of the keystream. RC4 is EXTREMELY vulnerable to nonce reuse as it is a pure xor'd keystream. Similarly CTR modes of AES will be extremely susceptible. AES CBC-MAC will be a bit less impacted, however doing constant key resetting could potentially bypass the chaining due to always using the same set of initial blocks, so some information leakage would potentially still be possible, especially for the attacker faking a new client where racing will not be a factor.
Hiç yorum yok:
Yorum Gönder