[146625] in cryptography@c2.net mail archive
Re: [Cryptography] Suite B after today's news
daemon@ATHENA.MIT.EDU (Jon Callas)
Thu Sep 5 22:23:28 2013
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <E1VHla4-0003wq-G4@login01.fos.auckland.ac.nz>
Date: Thu, 5 Sep 2013 19:21:17 -0700
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: cryptography@metzdowd.com, danmcd@kebe.com, Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 5, 2013, at 7:15 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> Jon Callas <jon@callas.org> writes:
>
>> My opinion about GCM and GMAC has not changed. I've never been a fan.
>
> Same here. AES is, as far as we know, pretty secure, so any problems are
> going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid
> as you can get. AES-GCM is a design or coding accident waiting to happen.
> This isn't the 1990s, we don't need to worry about whether DES or FEAL or IDEA
> or Blowfish really are secure or not, we can just take a known-good system off
> the shelf and use it. What we need to worry about now is deployability. AES-
> CTR and AES-GCM are RC4 all over again, it's as if we've learned nothing from
> the last time round.
How do you feel (heh, I typoed that as "feal") about the other AEAD modes?
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSKTwesTedWZOD3gYRAgyXAJ0X7q9+1DRM+1p/eQ13Hlu0P4s4vQCgsQLG
zs8/592lHqurlVWlghRTdJg=
=Ni0l
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
