Martin Rex <m...@sap.com> writes: >Though it is a pretty flawed assumption. > >I've seen an AEAD cipher implementation fail badly just recently (resulting >in corrupted plaintext that went unnoticed within TLS--MACing the ciphertext >is obviously a pretty dumb idea), something that is *MUCH* more unlikely to >happen to any cipher suites using GenericBlockCipher PDU.
There have been many more failures with GCM, the most notorious being Colin Percival's tarsnap, where a single missed operation (increment the IV) resulted in a total loss of security. Colin is a very experienced crypto developer, so its not like this was some beginner mistake. This is why I referred to GCM as "brittle", you can be about as abusive as you like with CBC and the worst you get is degradation to ECB, while with GCM you make one mistake and you get a catastrophic loss of security. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
