Description:
The Double Ratchet implementation calls AES-GCM without using Authenticated Additional Data (AAD), leaving headers vulnerable.
Details:
In src/ratchet.rs:196-205, the encryption process does not bind msg_num, previous_chain_len, and the prefixed nonce to the ciphertext.
Impact:
An attacker can modify these fields in transit to force the receiver to discard keys (DoS) or desynchronize the chain, undermining Post-Compromise Security (PCS) and Forward Secrecy (FS).
Location: /src/ratchet.rs:196-205
Description:
The Double Ratchet implementation calls AES-GCM without using Authenticated Additional Data (AAD), leaving headers vulnerable.
Details:
In src/ratchet.rs:196-205, the encryption process does not bind msg_num, previous_chain_len, and the prefixed nonce to the ciphertext.
Impact:
An attacker can modify these fields in transit to force the receiver to discard keys (DoS) or desynchronize the chain, undermining Post-Compromise Security (PCS) and Forward Secrecy (FS).
Location: /src/ratchet.rs:196-205