[Cryptography] Crypto best practices

Watson Ladd watsonbladd at gmail.com
Sun Mar 19 15:25:29 EDT 2017 

On Sat, Mar 18, 2017 at 8:33 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Ralf Senderek <crypto at senderek.ie> writes:
>
>>As always, details matter. What we need are solutions to specific problems,
>>(like secure authenticated messaging) in which every aspect of the solution
>>can be justified as a necessary part of the secure system's required
>>behaviour.
>
> That's one of the big problems, no-one can agree on what the required
> behaviour is.  For example in theory we should all be using the theoretically-
> perfect, provably-secure encryption system of one-time pads, but they're so
> hard to get right that no-one would ever suggest that.  Instead, we use close-
> to-theoretically-perfect but incredibly brittle modes like CTR and GCM, which
> have the same failure mode as OTPs but now it's OK because look at all the
> elegance and mathematics and stuff!  Only very recently has there been any
> interest in misuse-resistant crypto, but even then it's things like GCM-SIV
> that inherits the brittleness of CTR mode (via GCM) but adds an inability to
> use it in streaming mode because you need to make two passes over the data.

It makes two passess to be nonce-misuse resistant. I don't understand
what "brittleness" you complain about: it doesn't fail
on nonce reuse the same way CTR mode does. The reason why people pick
CTR is parallelizability, not mathematical elegance.

Streaming is inherently dangerous as the application can use data
which has not been authenticated yet. Packetizing into small
authenticated packets is the way to go here.

>
> I'm willing to trade off a little bit of security in exchange for robustness,
> because my code has to work in harsh environments and I can't afford to have
> the first woodpecker that comes along destroy civilisation.  So my "required
> behaviour" is "as secure as possible provided it doesn't compromise
> robustness", which seems to be rather different from many people's "the
> underlying hardware and software and developers work flawlessly, make it as
> theoretically perfect as you can assuming completely error-free
> functionality".


>
> Peter.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

More information about the cryptography mailing list