block ciphers: improve CTR nonce warning

2018-02-28 12:29:41 +01:00 · 2018-02-28 12:29:41 +01:00 · 22997b7200
commit 22997b7200
parent 5aa4e3b1d0
4 changed files with 73 additions and 5 deletions
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@ -300,7 +300,24 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
 *             must use the context initialized with mbedtls_aes_setkey_enc()
 *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
 *
- * \warning    You must keep the maximum use of your counter in mind.
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. Use a counter starting at 0 or a random value. With this
+ *             strategy, this function will increment the counter for you, so
+ *             you only need to preserve the \p nonce_counter buffer between
+ *             calls. With this strategy, you must not encrypt more than
+ *             2**128 blocks of data.
+ *             2. Use a randomly-generated \p nonce_counter for each call.
+ *             With this strategy, you need to ensure the nonce is generated
+ *             in an unbiased way and you must not encrypt more than 2**64
+ *             block of data.
+ *
+ *             Note that for both stategies, the limit is in number of blocks
+ *             and that an AES block is 16 bytes.
 *
 * \param ctx              The AES context to use for encryption or decryption.
 * \param length           The length of the input data.