[Cryptography] AES GCM insecure vs OCB1/OCB3 ??
Christian Huitema
huitema at huitema.net
Sun Feb 14 21:21:39 EST 2021
On 2/14/2021 5:57 PM, Peter Gutmann wrote:
> Christian Huitema<huitema at huitema.net> writes:
>
>> Please enlighten me, Peter. I see AES-GSM (and ChaCha20-Poly1035) as the two
>> options used to secure QUIC packets. The common knowledge is that this is
>> fine as long as a three conditions hold: a different Nonce is used for each
>> packet, which in QUIC is done by XORing a secret-dependent IV with the 64 bit
>> packet sequence number; the amount of data encrypted with the same key is
>> limited, which in QUIC is done by forcing a key rotation after 2^26 packets
>> for AES- GCM; and the number of decryption errors for the same master secret
>> does not exceed some limit (2^26, I believe).
> I'm going to have to invoke Poe's Law here and ask: Are you making a point via
> satire, or are you serious here? Given that's it's taken eight lines of
> incomprehensible-to-normal-humans cryptobabble to explain why it's easy to get
> right, I assume the former?
>
> (I've never met you in person so I don't know what your sense of humour is
> like; if I'd written that it would be meant as satire).
I was not making the case that it is easy to get right, just that when
used within the narrow domain of applicability it does work. It also
delivers encryption at high speed -- over 20Gbps when encrypting 1500
byte packets using Intel's instruction set. And yes, it is very easy to
get it wrong. For example, some of the proposals to add multipath
support to QUIC overlooked the "unique nonce" requirement and were
insecure as a result. And I certainly remember the joy of RC4 and Wi-Fi.
But hey, I do not design my own encryption algorithms. Protocol
developers like the QUIC folks have to use the available tools. Yes, it
is easy to use GCM the wrong way, but at least AEAD get us out of the
debate over encrypt-then-MAC or MAC-then-encrypt. I certainly wish there
was a better tool in the box, one for example without this brittle
dependency on nonces. If possible, one that also delivers 20Gbps in my
scenarios. And one that would not be encumbered by patents. If you have
that, then sure I can see switching to it.
-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210214/6874531c/attachment.htm>
More information about the cryptography
mailing list