[Cryptography] Crypto best practices
Hanno Böck
hanno at hboeck.de
Tue Mar 14 07:47:35 EDT 2017
On Sun, 12 Mar 2017 11:41:58 +0000
Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> I assume you mean GCM there, the most popular AEAD mode. So you're
> suggesting switching from a mode that has some relatively low-impact,
> obscure issues (various oracle attacks) to one that fails
> catastrophically if you get it wrong. That seems like a giant move
> backwards in terms of safety. GCM is RC4 all over again, and look how
> well that turned out.
GCM isn't perfect. I should know, I've written a paper about attacks on
GCM. We should move to more resilient AEADs. A lot is happening in that
space right now.
But I'd always say using GCM is a better solution that not using AEADs
at all and handcraft your own solution with CBC+HMAC or - worse -not
using any authentication (which is surprisingly common).
I'm not sure I fully understand your remark about RC4. I guess it's
something that RC4 is a stream cipher and GCM is based on counter mode
and thus also "like a stream cipher". One can argue that this is a more
fragile thing than some other constructions.
But the main problem with RC4 was that the keystream is biased. I'm not
aware of any similar issue with GCM.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
More information about the cryptography
mailing list