Hash: SHA1

On Sep 5, 2013, at 6:16 PM, Dan McDonald <dan...@kebe.com> wrote:

> Consider the Suite B set of algorithms:
>       AES-GCM
>       AES-GMAC
>       IEEE Elliptic Curves (256, 384, and 521-bit)
> Traditionally, people were pretty confident in these.  How are people's 
> confidence in them now?

My opinion about GCM and GMAC has not changed. I've never been a fan.

My objection to them is that they are tetchy to use -- hard to get right, easy 
to get wrong. It's pretty much what is in Niels's paper:


I don't think they're actively bad, though. For the purpose they were created 
for -- parallelizable authenticated encryption -- it serves its purpose. You 
can have a decent implementor implement them right in hardware and walk away.

I think that any of OCB, CCM, or EAX are preferable from a security standpoint, 
but none of them parallelize as well. If you want to do a lot of encrypted and 
authenticated high-speed link encryption, well, there is likely no other 
answer. It's GCM or nothing.

Remember that every intelligence agency has a SIGINT branch and an IA 
(Information Assurance) branch. Sometimes they are different agencies (at least 
titularly) like GCHQ/CESG, BND/BSI, etc. The NSA does not separate its SIGINT 
directorate and the IA directorate into different agencies.

I think the IA people have shown they do a good job, but they are humans too 
and make mistakes. Heck, there are things that various IA people do and 
recommend that I disagree with from weakly to strongly. I weakly disagree with 
GCM -- I think it's spinach and I say to hell with it, as opposed to thinking 
it's crap.

Would a signals intelligence organization that finds a flaw in what the IA 
people did tell the IA branch so people can fix it? That's the *real* question.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

The cryptography mailing list

Reply via email to