On Wed, 30 Oct 2024 17:53, Robert J. Hansen said: >> Counter modes are evil and thus not used. > > Evil? Howso? I know there's a malleability problem, but GnuPG has > used an HMAC since what, 1999, so that problem was mitigated decades > ago. Is there another set of problems I'm unaware of?
All counter modes are fragile and are to easy to get wrong. It is the same as with RC4: In theory easy to use in practise nobody gets this right. GCM is RC4 on steroids and in its defence it tried to avoid patent issues for authenticated encryption. Here is a discussion thread triggered by WPA2 flaws due to the use of GCM: https://www.metzdowd.com/pipermail/cryptography/2017-October/032895.html and here on on GCM vs. OCB: https://www.metzdowd.com/pipermail/cryptography/2021-February/036741.html Of course some people don't have such strong opinions as Peter Gutmann but our evaluators for GnuPG's VS-NfD approval also said: let us stay away from GCM - it is too hard to get right. BTW, we don't use HMAC in GnuPG except for PKCS#12, TPM, and the experimental gpg-pair-tool. For authenticated encryption we used to rely on the signature and later (2001) introduced the MDC which is an ad-hoc method to achieve this by running a hash over the plaintext and encrypt it along with the plaintext. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
