[146628] in cryptography@c2.net mail archive
Re: [Cryptography] Suite B after today's news
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Sep 5 22:37:17 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 06 Sep 2013 14:35:14 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: jon@callas.org, pgut001@cs.auckland.ac.nz
In-Reply-To: <5AAE674B-8487-4966-9646-CA5C772E156F@callas.org>
Cc: danmcd@kebe.com, cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Jon Callas <jon@callas.org> writes:
>How do you feel (heh, I typoed that as "feal") about the other AEAD modes?
If it's not a stream cipher and doesn't fail catastrophically with IV reuse
then it's probably as good as any other mode. Problem is that at the moment
modes like AES-CTR are being promulgated as fashion statements without any
consideration about operational deployment, when what we should be promoting
is something that's safely and effectively deployable. Someblockcipher-CBC +
HMAC is a nice safe bet, run your HMAC, do a constant-time compare of the
result, toss the encrypted data if you get a verify failure, otherwise
decrypt, it's pretty straightforward.
Peter.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
