Hi, On Tue, Dec 27, 2016 at 09:01:49AM -0800, Tim wrote: > [...] > > > > But there still are people who use CBC... > > [...] > > All traditional modes that lack integrity protection are vulnerable to > chosen-ciphertext attacks in these kinds of scenarios. > [...] > All traditional modes need a MAC or similar integrity protection. That is correct. > In light of that, there's > nothing particularly wrong with using CBC, if it is implemented well. > At least, using it is not *more* wrong than using OFB, CFB, or CTR That is wrong. CBC mode allows attacks such as "Sweet32" (https://sweet32.info/), which is not possible with CTR mode. > without integrity protection. Correct again, but too simple minded. Any encryption without integrity protection does not provide confidentiality against an active attacker. Using the wrong mode with a block cipher can render authentication irrelevant in attacks on confidentiality. > [...] > We should instead be pointing developers in > the direction of using something off-the-shelf [...]. > Much less room for error. That is sound advice. In addition, broken ciphers, modes, and protocols still implemented for backwards compatibility should not be used. Thanks, Erik
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment