Hasn’t known invariants been used to break modern encryption in TLs, etc? Like a SSH packet will always contain some known info, etc.

▲

drum55 8 days ago | parent | next [-]

In some systems sort of. The esp32 encryption has a bizarre implementation where adjacent blocks in counter mode reuse the same nonce, so knowing the structure of the plaintext can directly reveal the content of some blocks.

▲

tlhunter 8 days ago | parent | prev [-]

I'm not sure why drum55's answer is buried but they're correct that the Nonce concept in modern crypto addresses this issue.

▲

conradludgate 8 days ago | parent | next [-]

It's not only the nonce. The nonce helps to ensure that the message re-encrypted doesn't have the same ciphertext, but the known plaintext can still be used to forge messages. What stops message forgery is the message tag that TLS has (using the AEADs like AES-GCM or ChaCha20Poly1305).

That said, the nonce is still very important to avoid most key recovery attacks

	▲	Jweb_Guru 8 days ago \| parent [-]
		Yeah the real answer here is that this is what AEADs are for.

▲

macintux 8 days ago | parent | prev [-]

Probably because that's the user's only comment. I've vouched for it.