[Cryptography] Crypto best practices

[Jerry Leichter]

> Only very recently has there been any
> interest in misuse-resistant crypto, but even then it's things like GCM-SIV
> that inherits the brittleness of CTR mode (via GCM) but adds an inability to
> use it in streaming mode because you need to make two passes over the data....
I would guess that this is an area where the three-letter-agencies are ahead of the open research community.  Actual safe use in the real world has always of necessity been a requirement for them.  Meanwhile, on the "break" side of the house, they've had decades of experience with underhanded means of getting into, through, and around systems.  Of course, their requirements are not exactly the same as those of individual or commercial users - they have much more of an ability to directly control how the systems they develop are actually used.

The earliest paper I know of that discussed this topic is a real oldie that I don't think I'll be able to track down now by Phil Rogoway.  He talked about the right practical abstractions for modes of operations, and suggested that the end-user call CBC(K, IV, data) not use the IV directly, but instead first encrypt it with K.  Then the IV would not have to be unpredictable, just non-repeating for a given key.  (E.g., a simple sequence number for the session would be fine.)

Unfortunately, it later turned out that this way of generating an IV IS NOT SECURE.  I don't recall the attack, but I think it was actually pretty simple.  Even the experts get it wrong sometimes!
                                                        -- Jerry