[146621] in cryptography@c2.net mail archive
Re: [Cryptography] Suite B after today's news
daemon@ATHENA.MIT.EDU (Jon Callas)
Thu Sep 5 22:06:32 2013
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <F3B5BD76-C32D-4CA8-A96E-08329F56EDAC@kebe.com>
Date: Thu, 5 Sep 2013 19:00:21 -0700
To: Dan McDonald <danmcd@kebe.com>
Cc: cryptography@metzdowd.com, Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 5, 2013, at 6:16 PM, Dan McDonald <danmcd@kebe.com> wrote:
> Consider the Suite B set of algorithms:
>
> AES-GCM
> AES-GMAC
> IEEE Elliptic Curves (256, 384, and 521-bit)
>
> Traditionally, people were pretty confident in these. How are people's confidence in them now?
My opinion about GCM and GMAC has not changed. I've never been a fan.
My objection to them is that they are tetchy to use -- hard to get right, easy to get wrong. It's pretty much what is in Niels's paper:
<http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf>
I don't think they're actively bad, though. For the purpose they were created for -- parallelizable authenticated encryption -- it serves its purpose. You can have a decent implementor implement them right in hardware and walk away.
I think that any of OCB, CCM, or EAX are preferable from a security standpoint, but none of them parallelize as well. If you want to do a lot of encrypted and authenticated high-speed link encryption, well, there is likely no other answer. It's GCM or nothing.
Remember that every intelligence agency has a SIGINT branch and an IA (Information Assurance) branch. Sometimes they are different agencies (at least titularly) like GCHQ/CESG, BND/BSI, etc. The NSA does not separate its SIGINT directorate and the IA directorate into different agencies.
I think the IA people have shown they do a good job, but they are humans too and make mistakes. Heck, there are things that various IA people do and recommend that I disagree with from weakly to strongly. I weakly disagree with GCM -- I think it's spinach and I say to hell with it, as opposed to thinking it's crap.
Would a signals intelligence organization that finds a flaw in what the IA people did tell the IA branch so people can fix it? That's the *real* question.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSKTc3sTedWZOD3gYRAhsoAKCP0xlsuWIE5CMDeBMwqQQ4hVIInwCg7LJX
XHkmG7DzCxPubNay86/UL7U=
=Eo6n
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
