> > res = apr_crypto_passphrase(&key, &ivSize, passphrase, > > strlen(passphrase), (unsigned char *) (&salt), sizeof(apr_uuid_t), > > *cipher, APR_MODE_CBC, 1, 4096, f, r->pool); > > CBC. Again. > > The earliest mention of CFB which I know is dated 1989. > The earliest mention of CTR which I know is dated 1990-ies. > > But there still are people who use CBC... > > Please, PLEASE, PPLEEEEAASSSE don't use it. Instead, use either > Blowfish in CFB mode or at least Rijndael (AES) in CTR (or GCM) > mode - both are available, for example, in the OpenSSL library. All traditional modes that lack integrity protection are vulnerable to chosen-ciphertext attacks in these kinds of scenarios. CFB isn't immune and CTR is catastrophically weak. All traditional modes need a MAC or similar integrity protection. In light of that, there's nothing particularly wrong with using CBC, if it is implemented well. At least, using it is not *more* wrong than using OFB, CFB, or CTR without integrity protection. GCM is fine if the implementation is sound and the IVs never repeat, but there are pitfalls. We should instead be pointing developers in the direction of using something off-the-shelf, such as libsodium. Much less room for error. tim
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment