[Cryptography] Crypto best practices

Hanno Böck hanno at hboeck.de
Tue Mar 14 07:47:35 EDT 2017


On Sun, 12 Mar 2017 11:41:58 +0000
Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> I assume you mean GCM there, the most popular AEAD mode.  So you're
> suggesting switching from a mode that has some relatively low-impact,
> obscure issues (various oracle attacks) to one that fails
> catastrophically if you get it wrong.  That seems like a giant move
> backwards in terms of safety. GCM is RC4 all over again, and look how
> well that turned out.

GCM isn't perfect. I should know, I've written a paper about attacks on
GCM. We should move to more resilient AEADs. A lot is happening in that
space right now.

But I'd always say using GCM is a better solution that not using AEADs
at all and handcraft your own solution with CBC+HMAC or - worse -not
using any authentication (which is surprisingly common).

I'm not sure I fully understand your remark about RC4. I guess it's
something that RC4 is a stream cipher and GCM is based on counter mode
and thus also "like a stream cipher". One can argue that this is a more
fragile thing than some other constructions.
But the main problem with RC4 was that the keystream is biased. I'm not
aware of any similar issue with GCM.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


More information about the cryptography mailing list