[Cryptography] Suite B after today's news

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Sep 5 22:35:14 EDT 2013


Jon Callas <jon at callas.org> writes:

>How do you feel (heh, I typoed that as "feal") about the other AEAD modes?

If it's not a stream cipher and doesn't fail catastrophically with IV reuse
then it's probably as good as any other mode.  Problem is that at the moment
modes like AES-CTR are being promulgated as fashion statements without any
consideration about operational deployment, when what we should be promoting
is something that's safely and effectively deployable.  Someblockcipher-CBC +
HMAC is a nice safe bet, run your HMAC, do a constant-time compare of the
result, toss the encrypted data if you get a verify failure, otherwise
decrypt, it's pretty straightforward.

Peter.



More information about the cryptography mailing list