Jon Callas <> writes:

>My opinion about GCM and GMAC has not changed. I've never been a fan.

Same here.  AES is, as far as we know, pretty secure, so any problems are
going to arise in how AES is used.  AES-CBC wrapped in HMAC is about as solid
as you can get.  AES-GCM is a design or coding accident waiting to happen.
This isn't the 1990s, we don't need to worry about whether DES or FEAL or IDEA
or Blowfish really are secure or not, we can just take a known-good system off
the shelf and use it.  What we need to worry about now is deployability.  AES-
CTR and AES-GCM are RC4 all over again, it's as if we've learned nothing from
the last time round.

The cryptography mailing list

Reply via email to