Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New Anonymity Network for Short Messages

Steve Weis steveweis at
Tue Jun 11 11:10:53 PDT 2013

Comments inline...

On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy <sean.a.cassidy at>wrote:

> > - Any specific reason you picked CTR?
> CTR is widely recommended. Cryptography Engineering specifically
> recommends it.

The reason I ask is that this makes your IV-generation more critical than,
say, CBC, XTS, or other modes. If you have an IV collision, you'll leak
some message bits.

How big is the random nonce here, i.e. "sizeof( -
How are message IDs generated?

> > - HMAC verification is vulnerable to a timing attack. Since you're using
>  > CTR, it's that much easier to forge messages.
> I will have to look into this in my Javascript client as well. Do you
> have any recommendations?

Use a timing-independent array
It's an easy fix. I've made the same mistake before, which is why I always
look for it now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list