Re: A Simple Encryption Mode that "Feels" Secure

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 10/29/04 

Date: Fri, 29 Oct 2004 00:40:20 +0000 (UTC)

John Savard wrote:
>As well, I also feel that sometimes insights, in their early stages,
>cannot always be well-articulated. An encryption mode that protects
>privacy only, and does nothing to authenticate data, lends itself to
>misuse. People will read and act on messages whose integrity checks are
>invalid, if the integrity check is added on and not locked in a black
>box which refuses to yield plaintext if the integrity check is not
>valid.
>
>Thus, if one can protect messages against forgeries other than the
>existential at essentially no cost - and even the existential can be
>defended against at essentially no cost, but with modes that require
>some mathematical sophistication to implement - it seems worth doing.

Now that I read this more carefully, I agree with your problem statement
but I don't like your solution. In other words, I agree it is very
valuable to think about modes of operation that are easy to use the right
way and hard to misuse. However, rather than building a mode that only
provides a partial defense against misuse, I'd prefer a mode of operation
that provides a strong level of authentication as well as confidentiality.

I'm thinking of modes like CCM, EAX, CWC, GCM, and the like. Those modes
provide strong confidentiality and strong integrity protection. They seem
like a good default for the non crypto expert. Is there any reason not to
use them?

Relevant Pages