
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS - hannob
https://github.com/nonce-disrespect/nonce-disrespect
======
kkl
This is a great paper. Basically, AES-GCM fails when nonces are repeated. If
that sounds like a impossibility, it isn't. The authors found several TLS
implementations that had faulty nonce generation algorithms. Notably, one
device would send the same 8 bytes of uninitialized memory as it's first and
second nonce in a connection.

