1 |
Hi, |
2 |
|
3 |
On Sat, 4 Aug 2018 07:29:47 -0700 Hanno Böck wrote: |
4 |
> > Symmetric cryptography is quite conservative and it took years and |
5 |
> > even decades for algorithms and their implementations to become |
6 |
> > trusted, so there is nothing wrong in using good old verified |
7 |
> > software. |
8 |
> |
9 |
> When it comes to cipher modes the fact that people use decades old |
10 |
> modes is a problem. See efail for a prominent example, but there |
11 |
> are many less prominent ones. |
12 |
> |
13 |
> Look at the mcrypt webpage: |
14 |
> http://mcrypt.sourceforge.net/ |
15 |
> |
16 |
> Modes of Operation: |
17 |
> |
18 |
> CBC |
19 |
> CFB |
20 |
> CTR |
21 |
> ECB |
22 |
> OFB |
23 |
> NCFB |
24 |
> |
25 |
> That is a mixture of very insecure (ECB), insecure in most situations |
26 |
> (all others) and totally obscure modes. It doesn't include any |
27 |
> authenticated encryption modes, which in most situations is what you |
28 |
> want to use. |
29 |
|
30 |
I want to use mcrypt for local encryption only, therefore I don't |
31 |
really care about MACs. In my use cases modification tampering is |
32 |
easy to detect by other means. |
33 |
|
34 |
ECB is indeed unsafe and must be avoided (hey, openssl supports ECB |
35 |
as well, let's ban it!). |
36 |
|
37 |
CBC is better, but vulnerable to PODDLE, so I agree on avoiding it |
38 |
as well. |
39 |
|
40 |
As for CTR, (N)CFB, (N)OFB there is nothing obscure about them: |
41 |
they are known for decades and are well studied. There are no |
42 |
direct attacks on these modes known aside from detectable tampering |
43 |
possibility. |
44 |
|
45 |
Best regards, |
46 |
Andrew Savchenko |