Dear All,
It seems flexaead is vulnerable against length extension attack in the Associated Data.
This comes from the Associated Data padding being only padding with ‘0’, so the same tag can be generated by adding ‘00’ to the Associated Data.
This can be solved by using a resistant padding such as pad10*.
for flexaead 28b064v1, here is an example:
Key=0x000102030405060708090a0b0c0d0e0f, Nonce=0x000102030405060708090a0b0c0d0e0f,
Pt=0x,
Ad=0x00,
Ct=0xd052a99fd6826a4d
Key=0x000102030405060708090a0b0c0d0e0f, Nonce=0x000102030405060708090a0b0c0d0e0f,
Pt=0x,
Ad=0x0000,
Ct=0xd052a99fd6826a4d
And with non-empty PT:
Key = 000102030405060708090A0B0C0D0E0F
Nonce = 0001020304050607
PT = 000000000000
AD = 0000
CT = FEED07DFEB57CC9992C168BE746865E0
Key = 000102030405060708090A0B0C0D0E0F
Nonce = 0001020304050607
PT = 000000000000
AD = 000000
CT = FEED07DFEB57CC9992C168BE746865E0
Best regards,
Alexandre Mège