[Cryptography] AES GCM insecure vs OCB1/OCB3 ??
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Feb 16 20:10:41 EST 2021
John-Mark Gurney <jmg at funkthat.com> writes:
>Looks like it's free for any open source and non-military use:
>https://www.cs.ucdavis.edu/~rogaway/ocb/license.htm
The devil is in the details with this one. If you put it in OSS and someone
you've never heard of downloads it and uses it on a contract for a defence
contractor, is this military use, and how would you control it without making
it non-OSS? Is using it to process credit card transactions at a PX military
use? How far down the chain do you need to go to be compliant? What if it's
built into a product from a large vendor with thousands of customers
internationally, how do they control how it's used?
I can see the intent behind it and it's laudable, but in practice it just
means you can't use it because the potential legal headaches involved are too
great.
Peter.
More information about the cryptography
mailing list