[Cryptography] Crypto best practices

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Mar 19 21:45:07 EDT 2017


Watson Ladd <watsonbladd at gmail.com> writes:

>I don't understand what "brittleness" you complain about: it doesn't fail on
>nonce reuse the same way CTR mode does.

It fails if you don't increment the counter, so it's one glitch or one typo
away from failure, as has already happened in a crypto app written by an
experienced cryptographer, a single-character typo broke it completely.

(We don't know how many more of these issues are out there.  The RNG bugs in
both PGP classic and GPG were present for around ten years before anyone
looked at the code and noticed them).

>The reason why people pick CTR is parallelizability, not mathematical
>elegance.

Perhaps people designing exotic high-speed link encryption hardware, but the
masses who use it don't even know it's parallelizable, let alone choose it for
that.  The near-universal justification for AES-GCM/CTR use I've seen is that
it's trendy.  Not "use it because it's parallelizable", or "use it because it
has mathemtical property XYZ", but "everyone knows you should use AES-GCM, why
are you still using [not AES-GCM]"?

Peter.


More information about the cryptography mailing list