[Cryptography] Crypto best practices

[Peter Gutmann]

Ralf Senderek <crypto at senderek.ie> writes:

>As always, details matter. What we need are solutions to specific problems,
>(like secure authenticated messaging) in which every aspect of the solution
>can be justified as a necessary part of the secure system's required
>behaviour.

That's one of the big problems, no-one can agree on what the required
behaviour is.  For example in theory we should all be using the theoretically-
perfect, provably-secure encryption system of one-time pads, but they're so
hard to get right that no-one would ever suggest that.  Instead, we use close-
to-theoretically-perfect but incredibly brittle modes like CTR and GCM, which
have the same failure mode as OTPs but now it's OK because look at all the
elegance and mathematics and stuff!  Only very recently has there been any
interest in misuse-resistant crypto, but even then it's things like GCM-SIV
that inherits the brittleness of CTR mode (via GCM) but adds an inability to
use it in streaming mode because you need to make two passes over the data.

I'm willing to trade off a little bit of security in exchange for robustness,
because my code has to work in harsh environments and I can't afford to have
the first woodpecker that comes along destroy civilisation.  So my "required
behaviour" is "as secure as possible provided it doesn't compromise
robustness", which seems to be rather different from many people's "the
underlying hardware and software and developers work flawlessly, make it as
theoretically perfect as you can assuming completely error-free
functionality".

Peter.