I'm implementing a mobile VPN product based on AES-GCM that should be resistant against fingerprinting the movements of mobile nodes. A difficulty is that the mobile nodes may not have the best possible random number generators, so a random nonce for each packet might not be the most secure way. Also, the mathematics of the birthday attack do not favor random nonces: only about 1014 random 96-bits nonces can be created until there is large likelihood of collision. On the other hand, 264 is over 1019, so even a 64-bit counter would be superior to a random 96-bit nonce.
It is extremely unlikely that a node could generate more than 264 packets in its lifetime, so I had a bright idea: each node has an initialization vector key, a counter, and they use a block cipher to create the 64 bits of the nonce by encrypting the counter. Because a block cipher is reversible, if the inputs to it are never duplicated, its outputs are never duplicated. Only one crypto operation on a single 64-bit block is needed per packet, which shouldn't reduce performance much (since packets are typically 8000 bits or so, meaning that with AES-GCM quite many crypto operations are needed per packet anyway).
Ideally I would like to have a block size of more than 64 bits but less than 96 bits (since I'm using one bit for direction indicator), but it seems such ciphers are very rare: Rijndael has to have a block size with a multiple of 32 bits, so it's either 64 or 96 bits (96 bits is too large for my use case by a whopping 1 bit).
A counter-based nonce without block cipher encrypting it won't do, since an attacker might memoize the value of the counter of each device, and track their movements.
The question is, what cipher should I use for this nonce generation?
At least some notable block ciphers with a block size of 64 bits are:
- DES: no way am I going to use it
- triple DES: sounds like a hack and is slow
- IDEA: I haven't heard much of this recently, not sure why
- Blowfish
- Rijndael with a 64-bit block size: might not be as thoroughly analyzed with a 64-bit block size as it's with 128-bit block size, since AES uses 128 bits, also might be hard to find good implementations with a 64-bit block size
Currently I'm leaning towards Blowfish, but I'm still open to using Rijndael if it's significantly more secure even with a block size of 64 bits and good implementations can be found.
Note this cipher wouldn't be used to encrypt actual data, only create the nonce, so a break of it would only allow fingerprinting of movements, not decryption of the actual network packets.
Of course, if an attacker sees two devices using the same nonce even once, the attacker knows they can't be the same device, so perfect protection against fingerprinting the movements cannot be achieved.
