Is it advisable to use AES CTR mode with the counter initialized to 0? How good is it in security terms?
Asked
Active
Viewed 3,816 times
2
-
Somewhat alike: "Deterministic nonces in CTR mode" and "one-time key, zero IV in stream cipher (e.g. AES-CTR)" – e-sushi Oct 28 '13 at 22:22
-
My recent answer to question OFB or CTR mode without an IV covers the possible case initial counter=0. – user4982 Oct 28 '13 at 22:52
-
One problem with constant IV is that it enables multi-target attacks. When using AES-128 an attacker you can break all messages encrypted with this scheme with $2^{128}$ work and break one random message cost only $2^{128}/t$ for $t$ known ciphertext. So I'd avoid constant IVs with 128 bit keys, but 256 bit keys it doesn't really matter. – CodesInChaos Oct 29 '13 at 08:04
1 Answers
5
As long as you never re-use a specific counter value with the same key, counter mode protects the privacy of the message.
All counter values are equally secure. You just have to be sure never to re-use any counter value in two different messages. Zero is no different to any other counter value in this respect.
However, if you ever re-use any counter values then the secrecy of both messages is completely lost.
If you plan to encrypt many messages under the same key, then it would be wise to choose a different counter strategy to avoid the possibility of re-using counter values.
One such strategy is to allocate the first 64-bits of the block to the milliseconds since 1970. This is safe if the key is only used in a single thread and you don't encrypt more than one message per millisecond. This won't take the full 64-bits, so you can just fill the remaining bits at random. You then reserve the remaining 64-bits for the counter. This will make it difficult for two messages to use the same counter values.
Gilles 'SO- stop being evil'
- 19,134
- 4
- 50
- 92
Simon Johnson
- 3,216
- 16
- 20
-
-
1Although you can change your accept afterwards, I would always wait a certain time for other answers or correction on the original answer before accepting, annunarcist. By accepting the question looks closed so others may not give it the full attention it would receive otherwise. – Maarten Bodewes Oct 28 '13 at 21:50
-
"As long as you never re-use a specific counter value with the same key, counter mode protects the privacy of the message." This is a good advice. -- Basically this means: if the AES CTR key is a long-term key (opposed to e.g. session key), there needs to be strategy implemented to ensure re-use never happens. The suggested 64-bit + 64-bit can be a good strategy on some systems. – user4982 Oct 28 '13 at 22:55