It's still considered safe to call AES-GCM with a single key and a randomly gene... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

ThePhysicist on Feb 18, 2023 | parent | context | favorite | on: Password protect a static HTML page

It's still considered safe to call AES-GCM with a single key and a randomly generated nonce 2^32 times [1], most practical systems don't come anywhere near this limit. And there's AES-GCM-SIV that solves nonce reuse (mostly), though it's not available in the Web Cryptography API at the moment.

1: https://csrc.nist.gov/csrc/media/Projects/crypto-publication...

tptacek on Feb 18, 2023 [–]

I don't personally care, and probably wouldn't even sev:info a random GCM nonce in an assessment, but I would also choose extended-nonce Chapoly in preference to GCM in part because of this issue.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact