[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    [Cryptography] Fw:  Crypto best practices
From:       Peter Gutmann <pgut001 () cs ! auckland ! ac ! nz>
Date:       2017-03-15 23:06:28
Message-ID: 1489619182487.78416 () cs ! auckland ! ac ! nz
[Download RAW message or body]

Forwarded on behalf of the original poster, who can't post directly.

Peter.
________________________________________
From: Neuhaus Stephan (neut) <neut@zhaw.ch>
Sent: Thursday, 16 March 2017 07:17
To: dennis.hamilton@acm.org
Cc: Peter Gutmann
Subject: Re: [Cryptography] Crypto best practices

On 2017-03-15 17:15, "cryptography on behalf of Dennis E. Hamilton"
<cryptography-bounces+stephan.neuhaus=zhaw.ch@metzdowd.com on behalf of
dennis.hamilton@acm.org> wrote:

> > -----Original Message-----
> > From: cryptography [mailto:cryptography- \
> >                 bounces+dennis.hamilton=acm.org@metzdowd.com] On Behalf Of Peter \
> >                 Gutmann
> > Sent: Wednesday, March 15, 2017 04:19
> > To: Hanno Böck <hanno@hboeck.de>
> > Cc: Cryptography List <cryptography@metzdowd.com>; Arnold Reinhold <agr@me.com>
> > Subject: Re: [Cryptography] Crypto best practices
> [ ... ]
> > 
> > AES-CTR, and by extension AES-GCM, have exactly the same problem, if you use
> > them in their most straightforward modes where you memcpy() in a fixed or all-
> > zero IV, you've got RC4 again.
> [orcmid]
> 
> Huh?!
> 
> Doesn't use of a fixed IV undermine practically any scheme?  One would
> hope that anything on use of AES-GCM would emphasize the security
> requirement concerning the IV.

Of course a fixed IV undermines any scheme, just with different
consequences. If you use, say, CBC with a fixed IV, what you get is that
equal plaintexts (or equal plaintext prefixes) get mapped to equal
ciphertexts. If you use RC4, CTR, or CGM with a fixed IV, you get THE SAME
KEY STREAM and you can undo the ENTIRE key stream on the ENTIRE entire
message, not just the equal prefix.

That's what Peter meant with "no cryptanalysis necessary".

That's not to say that CTR, GCM and so on aren't useful, but the question
is, if RC4 is banned (presumably not only because of its biases, but also
because of the IV reuse problem), then CTR and GCM should also be banned
because they suffer from the exact same problems.

(This message will probably bounce form the list because my employer
doesn't allow me to use my preferred email address in From: fields, but
feel free to forward this mail to the list if you think it's useful.)

Cheers,

Stephan
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic