David McGrew <mcg...@cisco.com> writes: >What is especially cool about counter mode encryption is how its real world >security degrades more gracefully than CBC mode encryption.
Uhh... how does CTR "degrade gracefully" compared to CBC? With CTR, any kind of problem with the IV/CTR leads to a catastrophic loss of security. With CBC, even the worst-case IV abuse you can apply, setting it to all zeroes, just degrades the mode to ECB. (There have been a number of instances of CTR, or at least GCM, failures already, and I doubt we've seen the last of it. It's RC4 all over again). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
