[Cryptography] AES GCM insecure vs OCB1/OCB3 ??
Christian Huitema
huitema at huitema.net
Sun Feb 14 20:10:21 EST 2021
On 2/14/2021 2:18 AM, Peter Gutmann wrote:
> For the protocols like TLS and SSH that use AES-RC4 and other RC4-equivalents
> like ChaCha20 (seen that too a few times, always used wrong), you only have to
> look at the incredible convolutions the protocols have to engage in to use it
> securely to see why it's so easy to get wrong. These modes/ciphers default to
> insecure. Any standard developer (i.e. a non-crypto-geek) is practically
> guaranteed to use them incorrectly.
>
> Which makes it easy for me to find vulnerabilities during audits, but probably
> doesn't do much for security. Stream ciphers are unsafe at any speed, whether
> they're called RC4 or AES-GCM or ChaCha20.
Please enlighten me, Peter. I see AES-GSM (and ChaCha20-Poly1035) as the
two options used to secure QUIC packets. The common knowledge is that
this is fine as long as a three conditions hold: a different Nonce is
used for each packet, which in QUIC is done by XORing a secret-dependent
IV with the 64 bit packet sequence number; the amount of data encrypted
with the same key is limited, which in QUIC is done by forcing a key
rotation after 2^26 packets for AES-GCM; and the number of decryption
errors for the same master secret does not exceed some limit (2^26, I
believe). What part of that is "unsafe at any speed"?
-- Christian Huitema
More information about the cryptography
mailing list