Hi Peter, > On Jul 19, 2016, at 2:58 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > > David McGrew <mcg...@cisco.com> writes: > >> What is especially cool about counter mode encryption is how its real world >> security degrades more gracefully than CBC mode encryption. > > Uhh... how does CTR "degrade gracefully" compared to CBC?
I should have said: “degrades more gracefully as the number of known plaintext blocks increases to, and beyond, the birthday bound”. > With CTR, any kind > of problem with the IV/CTR leads to a catastrophic loss of security. With > CBC, > even the worst-case IV abuse you can apply, setting it to all zeroes, just > degrades the mode to ECB. > Right, but that’s a different topic. David > (There have been a number of instances of CTR, or at least GCM, failures > already, and I doubt we've seen the last of it. It's RC4 all over again). > > Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
