extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2025-06-20 11:57:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add comment about AES-GCM security

Browse Source
This commit is contained in:
David Dworken 2025-01-18 23:11:54 -08:00
parent 21618af0a0
commit 8de80c510a
No known key found for this signature in database
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
client/data/data.go
View File

@ -103,6 +103,16 @@ func Encrypt(userSecret string, data, additionalData []byte) ([]byte, []byte, er
if _, err := io.ReadFull(rand.Reader, nonce); err != nil { if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return []byte{}, []byte{}, fmt.Errorf("failed to read a nonce: %w", err) return []byte{}, []byte{}, fmt.Errorf("failed to read a nonce: %w", err)
} }
// Note that this is using AES-GCM with a default 96 bit nonce. This means that if a user has
// 2^32 = 4 billion history entries, they'll have a 2^-33 chance of experiencing a nonce collision.
// Even with this seemingly absurd number of history entries, the chance of a collision is still
// quite low (and the impact is minimal, in our case the key relevant piece is just leaking the xor
// of the two collidding history entries).
//
// If we ever wanted to improve on this, we could consider swapping to AES-GCM-SIV which mitigates
// this issue through a synthetic IV. For now, I haven't prioritized this since the risk here is quite
// low and migrating hishtory to support a new and old AEAD scheme would be a bit of a pain. But if
// anyone is ever concerned about this or disagrees with this logic, please open a GH issue!
ciphertext := aead.Seal(nil, nonce, data, additionalData) ciphertext := aead.Seal(nil, nonce, data, additionalData)
_, err = aead.Open(nil, nonce, ciphertext, additionalData) _, err = aead.Open(nil, nonce, ciphertext, additionalData)
if err != nil { if err != nil {