[Cryptography] Fw: Crypto best practices

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Mar 15 19:06:28 EDT 2017 

Forwarded on behalf of the original poster, who can't post directly.

Peter.
________________________________________
From: Neuhaus Stephan (neut) <neut at zhaw.ch>
Sent: Thursday, 16 March 2017 07:17
To: dennis.hamilton at acm.org
Cc: Peter Gutmann
Subject: Re: [Cryptography] Crypto best practices

On 2017-03-15 17:15, "cryptography on behalf of Dennis E. Hamilton"
<cryptography-bounces+stephan.neuhaus=zhaw.ch at metzdowd.com on behalf of
dennis.hamilton at acm.org> wrote:

>> -----Original Message-----
>> From: cryptography [mailto:cryptography- bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Peter Gutmann
>> Sent: Wednesday, March 15, 2017 04:19
>> To: Hanno Böck <hanno at hboeck.de>
>> Cc: Cryptography List <cryptography at metzdowd.com>; Arnold Reinhold <agr at me.com>
>> Subject: Re: [Cryptography] Crypto best practices
>[ ... ]
>>
>> AES-CTR, and by extension AES-GCM, have exactly the same problem, if you use
>> them in their most straightforward modes where you memcpy() in a fixed or all-
>> zero IV, you've got RC4 again.
>[orcmid]
>
>Huh?!
>
>Doesn't use of a fixed IV undermine practically any scheme?  One would
>hope that anything on use of AES-GCM would emphasize the security
>requirement concerning the IV.

Of course a fixed IV undermines any scheme, just with different
consequences. If you use, say, CBC with a fixed IV, what you get is that
equal plaintexts (or equal plaintext prefixes) get mapped to equal
ciphertexts. If you use RC4, CTR, or CGM with a fixed IV, you get THE SAME
KEY STREAM and you can undo the ENTIRE key stream on the ENTIRE entire
message, not just the equal prefix.

That’s what Peter meant with “no cryptanalysis necessary”.

That’s not to say that CTR, GCM and so on aren’t useful, but the question
is, if RC4 is banned (presumably not only because of its biases, but also
because of the IV reuse problem), then CTR and GCM should also be banned
because they suffer from the exact same problems.

(This message will probably bounce form the list because my employer
doesn’t allow me to use my preferred email address in From: fields, but
feel free to forward this mail to the list if you think it’s useful.)

Cheers,

Stephan

More information about the cryptography mailing list