3

I'm working on a project to upgrade an existing system that currently uses RC4 to encrypt a payload with a random session key. The session key is then encrypted with asymmetric public key encryption (RSA PKCS#1 OAEP). The encrypted pair are then transmitted over insecure channels as a token.

I'm looking to replace the RC4 part with AES-128-GCM. This is an interim solution on the way to using a standardised authenticated public key message exchange framework, such as OpenPGP or JOSE JWE.

To reduce the amount of work required to implement AES-128-GCM by keeping the message syntax the same, I was thinking of using a static IV/nonce shared by sender and recipient. As the session key is unique, I understand that this is as secure as using a random IV with a static key.

Is this an acceptable solution?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Alastair McCormack
  • 133
  • 5

1 Answers1

5

Yes. You can even use the nonce 0, and skip sharing state between the sender and receiver. While you're at it, consider using AES-256-GCM instead of AES-128-GCM to limit the danger of multi-target attacks.

And stop there; don't waste your time with the painfully archaic OpenPGP or hopelessly dwimmy JOSE. If you really want to switch to an existing library, consider instead using NaCl/libsodium crypto_box with a random nonce or libsodium crypto_box_seal (which has no nonce, and, as you describe, generates a session key independently at random for each message).

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230