Jon Callas <joncallas(_at_)icloud(_dot_)com> writes:
I'll request that another mode than GCM be used. In particular, I disagree
with it being "uncontroversial." It's the most controversial mode you could
pick.
+1. However the adjective I'd use for GCM is most trendy, not necessarily
most controversial. It's the mode you use without thinking about it
because... um, because everyone says its cool. Like MongoDB, or Go, or
Angular.js, or Bimodal IT.
GCM is very brittle. It breaks in very bad ways if you aren't careful with
nonces/tags. There are many cases of people misusing it and getting worse
than no security. I state that because if you *think* you're getting
authenticated data, but it's actually been altered in transit, and that will
likely cause issues in the receiving state machine.
+1 again. You can take something like AES-CBC + HMAC and abuse it as much as
you want, e.g. by memsetting the IV to all zeroes on each block, and at most
you degrade to ECB, with no effect on the MAC's security. OTOH do that with a
single IV in GCM (== CTR) mode (so you get a repeated IV) and you get a
catastrophic loss of security. CTR is RC4 all over again.
Furthermore, the multiply in GHASH is slow in software.
Again, and at the risk of sounding like the Callas fan club...
GCM is a dangerously easy to misuse encryption mode paired with a slow, also
failure-prone MAC. If you want a minimal-fuss AEAD mode, just turn the
current encryption into encrypt-then-MAC. It's a very minimal change, append
an HMAC to the end of the existing encrypted data.
I think that GCM is actually controversial and dangerous for generic use.
Not sure about controversial since it's so trendy that most people don't think
about it but just use it, but it's certainly too dangerous for general use.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp