[Cryptography] [FORGED] Re: Crypto best practices

[Peter Gutmann]

Natanael <natanael.l at gmail.com> writes:

>As for a quick demonstration of that you can have secure "streaming behavior"
>without needing to start off with a full pass on the plaintext / ciphertext
>before final encryption / decryption:
>
>Option A: Use CBC mode (or another non-stream cipher mode), but instead of
>computing an HMAC authentication tag on the full ciphertext first when the
>encryption is done, you compute HMAC tags on one or a few blocks at a time
>and append the tag to those blocks. Then for each set of blocks after the
>first set you also use the previous HMAC tag as an input (chaining the HMAC
>tags).
>
>Option B: As above use CBC, and for ciphertext authentication you iteratively
>build a Merkle tree hash of the ciphertext blocks as you go during the
>encryption, and sign each Merkle root hash version, then you validate each of
>the ciphertext blocks against the signed Merkle root on decryption.

It's not too hard to come up with a Rube-Goldberg mechanism that deals with
particular issues like misuse of IVs or streaming, but the problem with these
schemes is that they take the initial issue, that IVs are too confusing and
complex to deal with so people get it wrong, and make the problem ten times
worse.  The reason why RC4 was so popular is because it's incredibly simple,
it takes a key and magics plaintext in-place into ciphertext and back again
with no message expansion or other complications.  I'm not saying that you can
do the equivalent of RC4 in a sound manner, but if you've got something that
gets misused because of its complexity then the proposed replacement shouldn't
involve even more complexity.

Peter.