[Cryptography] Crypto best practices

[Christian Huitema]

On 3/16/2017 6:21 PM, Ron Garret wrote:
> On Mar 16, 2017, at 5:37 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>
>> Ray Dillinger <bear at sonic.net> writes:
>>
>>> Stream Ciphers simply aren't worth the level of complexity risk required to
>>> design with them any more, and have not been for a long time.
>> +1 to all of that.  It's the "RC4 all over again" thing...
> You need to go back and rethink this.  If someone takes this advice as stated they will conclude that AES in ECB mode is preferable to using the NaCl library because XSalsa20 is a stream cipher and AES is not.  I think I know what the two of you are trying to say, but if there has ever been an area of human endeavor that demands precision in the formulation of recommendations, it’s this.

I get the IV fragility part. Was just reviewing an RFC draft about
ciphers for IPSEC, with a recommendation to disallow all the current
AEAD style ciphers when manual configuration is used instead of IKEv2,
because manual configuration cannot guarantee non repeating IV. But
then, where is the alternative? How about designing a cipher-mode that
combines the robustness of CBC with the safety of AEAD? Looking at the
literature, the only reference I find is a mythical variant of Keccak,
mythical as in rumored to exist but never seen in the wild...

-- Christian Huitema