| ▲ | conradludgate 8 days ago | |
It's not only the nonce. The nonce helps to ensure that the message re-encrypted doesn't have the same ciphertext, but the known plaintext can still be used to forge messages. What stops message forgery is the message tag that TLS has (using the AEADs like AES-GCM or ChaCha20Poly1305). That said, the nonce is still very important to avoid most key recovery attacks | ||
| ▲ | Jweb_Guru 8 days ago | parent [-] | |
Yeah the real answer here is that this is what AEADs are for. | ||