[Cryptography] Crypto best practices
John-Mark Gurney
jmg at funkthat.com
Sun Mar 19 13:26:04 EDT 2017
Peter Gutmann wrote this message on Sun, Mar 19, 2017 at 03:33 +0000:
> Ralf Senderek <crypto at senderek.ie> writes:
>
> >As always, details matter. What we need are solutions to specific problems,
> >(like secure authenticated messaging) in which every aspect of the solution
> >can be justified as a necessary part of the secure system's required
> >behaviour.
>
> That's one of the big problems, no-one can agree on what the required
> behaviour is. For example in theory we should all be using the theoretically-
> perfect, provably-secure encryption system of one-time pads, but they're so
> hard to get right that no-one would ever suggest that. Instead, we use close-
> to-theoretically-perfect but incredibly brittle modes like CTR and GCM, which
> have the same failure mode as OTPs but now it's OK because look at all the
> elegance and mathematics and stuff! Only very recently has there been any
> interest in misuse-resistant crypto, but even then it's things like GCM-SIV
> that inherits the brittleness of CTR mode (via GCM) but adds an inability to
> use it in streaming mode because you need to make two passes over the data.
>
> I'm willing to trade off a little bit of security in exchange for robustness,
> because my code has to work in harsh environments and I can't afford to have
> the first woodpecker that comes along destroy civilisation. So my "required
> behaviour" is "as secure as possible provided it doesn't compromise
> robustness", which seems to be rather different from many people's "the
> underlying hardware and software and developers work flawlessly, make it as
> theoretically perfect as you can assuming completely error-free
> functionality".
It seems odd that people are looking so hard for new crypto modes, when
something like XEX could be used to replace the counter mode in GCM...
Doesn't solve same nonce (tweak) + same plaintext == same cipher text,
but should solve the same nonce leaks plaintext difference, but still
results in blocks of plaintext == same cipher text...
P.S. I'm not a cryptographer, but have implemented crypto under the
guidance of cryptographers...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list