Gentoo Archives: gentoo-dev

From: "Hanno Böck" <hanno@g.o>
To: gentoo-dev@l.g.o
Subject: Re: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs)
Date: Sat, 04 Aug 2018 14:29:56
Message-Id: 20180804072947.1f9ac221@computer
In Reply to: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs) by Andrew Savchenko
1 Hi,
2
3 On Sat, 4 Aug 2018 11:43:28 +0300
4 Andrew Savchenko <bircoph@g.o> wrote:
5
6 > Do you have any evidence that mcrypt should not be used?
7
8 Well, PHP was as far as I'm aware its main user and PHP has declared
9 mcrypt support to be deprecated a while ago.
10
11 > Symmetric cryptography is quite conservative and it took years and
12 > even decades for algorithms and their implementations to become
13 > trusted, so there is nothing wrong in using good old verified
14 > software.
15
16 When it comes to cipher modes the fact that people use decades old
17 modes is a problem. See efail for a prominent example, but there
18 are many less prominent ones.
19
20 Look at the mcrypt webpage:
21 http://mcrypt.sourceforge.net/
22
23 Modes of Operation:
24
25 CBC
26 CFB
27 CTR
28 ECB
29 OFB
30 NCFB
31
32 That is a mixture of very insecure (ECB), insecure in most situations
33 (all others) and totally obscure modes. It doesn't include any
34 authenticated encryption modes, which in most situations is what you
35 want to use.
36
37 --
38 Hanno Böck
39 https://hboeck.de/
40
41 mail/jabber: hanno@××××××.de
42 GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Replies