Note: TLS 1.3 should significantly decrease the risk of this because the record sequence number is used as the nonce, therefore if you fail to increment the sequence number, you will quickly not interoperate with other implementations which are correct.
-Ekr On Sun, Mar 20, 2016 at 12:53 PM, Harlan Lieberman-Berg <hlieber...@setec.io > wrote: > Peter Gutmann <pgut...@cs.auckland.ac.nz> writes: > > This is why I referred to GCM as "brittle", you can be about as > > abusive as you like with CBC and the worst you get is degradation to > > ECB, while with GCM you make one mistake and you get a catastrophic > > loss of security. > > Couldn't you say the same about CTR mode, or stream ciphers themselves? > Sure -- it's definitely a lot harder to screw up "incrementing a > counter" than it is all the stuff GCM requires you to do, but.... > > Sincerely, > > -- > Harlan Lieberman-Berg > ~hlieberman > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
