[Cryptography] Crypto best practices
Ray Dillinger
bear at sonic.net
Thu Mar 16 19:35:10 EDT 2017
As long as we have a discussion of crypto best practices going on I'd
like to propose one.
This may be controversial because it is practically the definition of
'stream cipher,' so I'm about to make a blanket condemnation of an
accepted 'standard' in security design primitives, but....
I would like to go on the record as stating that, in my opinion, any
stream cipher based on combining plaintext with keystream using XOR (or
modular addition, or similarly easily-reversed primitive), is not
appropriate for security purposes. I do not recommend using that
construction in any design if there is any applicable alternative. And
it is my opinion that there are always applicable alternatives because
whatever virtues these ciphers have are present in other ciphers that
also have other virtues.
Stream ciphers of this type are something we inherited from pre-computer
pen-and-paper codes and ciphers, and making them work at the scale and
complexity of modern protocols, with the required distribution of
secret IVs, salts, and protection of data integrity, and in spite of
formatted data having related and identical plaintext sequences at known
offsets, has required effort and risk, and caused failures, out of
proportion to the benefits compared with other classes of cipher.
Almost any design made with any other type of cipher in mind, is
automatically broken when implemented with a conventional stream cipher,
and design with a conventional stream cipher in mind is excessively
(dangerously) complex and fragile when compared with any other type of
cipher.
There are too many attacks (not just the obvious bit-flipping mutation
attacks, but IV-recovery attacks, keystream side channel attacks, parity
attacks, etc) that this class of ciphers is subject to compared with
other classes of cipher. There are too many things irrelevant to other
ciphers that can be made into attacks w/r/t these ciphers.
It's just plain time to stop using them in new designs. In fact it has
been past time to stop using them since WWII, but they've just been such
an accepted part of the world that nobody's ever seriously reconsidered
whether they are in fact worthwhile.
Other encryption primitives have gotten stronger. Resistance to other
kinds of cryptographic attack has gotten stronger as a result. But
resistance to the specific types of attack that stream ciphers are
subject to have not kept pace. The complexity required to *defend* them
from those attacks on the other hand has been ramping up, for decades,
in proportion to the increasing complexity of protocols and the
proliferation of "related plaintexts" in the form of formatted data and
protocol messages.
Stream Ciphers simply aren't worth the level of complexity risk required
to design with them any more, and have not been for a long time.
This is just my opinion. But you can use it if you like; I don't mind.
Bear
---
"Engineers like to solve problems. If there are no problems handily
available, they will create their own." -- Scott Adams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170316/b3e22f47/attachment.sig>
More information about the cryptography
mailing list