| 1 |
Hi, |
| 2 |
|
| 3 |
On Sat, 4 Aug 2018 07:29:47 -0700 Hanno Böck wrote: |
| 4 |
> > Symmetric cryptography is quite conservative and it took years and |
| 5 |
> > even decades for algorithms and their implementations to become |
| 6 |
> > trusted, so there is nothing wrong in using good old verified |
| 7 |
> > software. |
| 8 |
> |
| 9 |
> When it comes to cipher modes the fact that people use decades old |
| 10 |
> modes is a problem. See efail for a prominent example, but there |
| 11 |
> are many less prominent ones. |
| 12 |
> |
| 13 |
> Look at the mcrypt webpage: |
| 14 |
> http://mcrypt.sourceforge.net/ |
| 15 |
> |
| 16 |
> Modes of Operation: |
| 17 |
> |
| 18 |
> CBC |
| 19 |
> CFB |
| 20 |
> CTR |
| 21 |
> ECB |
| 22 |
> OFB |
| 23 |
> NCFB |
| 24 |
> |
| 25 |
> That is a mixture of very insecure (ECB), insecure in most situations |
| 26 |
> (all others) and totally obscure modes. It doesn't include any |
| 27 |
> authenticated encryption modes, which in most situations is what you |
| 28 |
> want to use. |
| 29 |
|
| 30 |
I want to use mcrypt for local encryption only, therefore I don't |
| 31 |
really care about MACs. In my use cases modification tampering is |
| 32 |
easy to detect by other means. |
| 33 |
|
| 34 |
ECB is indeed unsafe and must be avoided (hey, openssl supports ECB |
| 35 |
as well, let's ban it!). |
| 36 |
|
| 37 |
CBC is better, but vulnerable to PODDLE, so I agree on avoiding it |
| 38 |
as well. |
| 39 |
|
| 40 |
As for CTR, (N)CFB, (N)OFB there is nothing obscure about them: |
| 41 |
they are known for decades and are well studied. There are no |
| 42 |
direct attacks on these modes known aside from detectable tampering |
| 43 |
possibility. |
| 44 |
|
| 45 |
Best regards, |
| 46 |
Andrew Savchenko |
Archives