-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sep 5, 2013, at 7:15 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Jon Callas <j...@callas.org> writes: > >> My opinion about GCM and GMAC has not changed. I've never been a fan. > > Same here. AES is, as far as we know, pretty secure, so any problems are > going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid > as you can get. AES-GCM is a design or coding accident waiting to happen. > This isn't the 1990s, we don't need to worry about whether DES or FEAL or IDEA > or Blowfish really are secure or not, we can just take a known-good system off > the shelf and use it. What we need to worry about now is deployability. AES- > CTR and AES-GCM are RC4 all over again, it's as if we've learned nothing from > the last time round. How do you feel (heh, I typoed that as "feal") about the other AEAD modes? Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKTwesTedWZOD3gYRAgyXAJ0X7q9+1DRM+1p/eQ13Hlu0P4s4vQCgsQLG zs8/592lHqurlVWlghRTdJg= =Ni0l -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography