Discussion on: End-to-End Encrypted Chat with the Web Crypto API

View post

Replies for: The usage of constant IV with AES-GCM completely breaks its security. With AES-GCM, the application must guarantee that the IV is never repeated. O...

Hi! Thanks a lot for the feedback. I missed this information while doing my very superficial research about AES-GCM (I just saw it wasn't sensitive, but didn't see it had to change every time). I'm currently changing the tutorial's approach to this and removing the misleading info.

Edit: done

Junxiao Shi • Oct 9 '20

Last time I designed a system using random IV with AES-GCM and it got rejected in security review. Crypto expert says IV must have three parts:

Sender identifier. Suppose two parties are using the same key, 1 bit should be used to identify the encrypting party.
Random bits, 64 bits minus sender identifier.
Counter bits, 32 bits. Start from zero, incremented for each AES block (not message). Key must be rotated when the counter reaches maximum.