I recently came across this story about NSA employees messing with crypto standards regarding internet telephony. Whats interesting is some details about the use of GCM in real time applications like SRTP and ssh.
The story is in german therefore I'm translating the relevant parts: "Dieser aktuelle NSA-Entwurf betrifft das Protokoll zur Verschlüsselung von Internettelefonie. Der dafür vorgesehene Blockchiffre-Modus namens "Galois Counter Mode" (GCM) aber wurde bereits 2005 von einem namhaften Kryptografie-Eperten von Microsoft als generell angreifbar bezeichnet und vernichtend kritisiert. Speziell und eindringlich wurde davor gewarnt, diese Chiffre für Echtzeit-Protokolle einzusetzen, als negatives Praxisbeispiel dafür wurde die Verschlüsselung von Internettelefonie angeführt." [...] The "Galois Counter Mode" (GCM) was heavely criticised in 2005 by a renowned Cryptoexpert at Microsoft and described as generally vulnerable. It was warned that especially in realtime application this cipher should not be used. [...] and "Der finnische Kryptograf Markku-Juhani Saarinen hatte 2012 auf der Sicherheitskonferenz FSE 2012 in Washington ebenfalls vor dem Einsatz der Blockchiffre gewarnt. Gerade bei Echtzeitprotokollen wie Secure Shell für Virtual Private Networks sei von GCM dringend abzuraten." [...] The finnish cryptoexpert Markku-Juhani Saarinen had also warned not to use the blockcipher in 2012 at the securityconferenc FSE in Washington. Especially the use with realtime applications like ssh for VPN is not recommended. [...] Source: http://fm4.orf.at/stories/1737330/ There is also this paper from Niels Ferguson discribing the technical issues: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf So my question is: Why is nobody talking about this? Even though it seems ok to use GCM with most https applications, it is also widely used and recommended with ssh and SRTP (like xmpp). Should it not be recommended to avoid the use of GCM in these later cases?
signature.asc
Description: PGP signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
