View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0011250 | GNUnet | cadet service | public | 2026-03-13 17:59 | 2026-03-13 17:59 |
| Reporter | schanzen | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | new | Resolution | open | ||
| Target Version | 1.0.0 | ||||
| Summary | 0011250: CADET header encryption nonce entroopy missing | ||||
| Description | I think there is a crypto bug in CADET: According to https://signal.org/docs/specifications/doubleratchet/#external-functions HENCRYPT(hk, plaintext): Returns the AEAD encryption of plaintext with header key hk. Because the same hk will be used repeatedly, the AEAD nonce must either be a stateful non-repeating value, or must be a random non-repeating value chosen with at least 128 bits of entropy.. In the code we can see 13 GNUNET_CRYPTO_hkdf_gnunet (result: &iv, 14 out_len: sizeof iv, 15 xts: NULL, 16 xts_len: 0, 17 skm: &ax->HKs, 18 skm_len: sizeof ax->HKs); that the nonce (iv) is derived from said HK which will be used repeatedly, and no other entropy is input. | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-03-13 17:59 | schanzen | New Issue |
