Hi, > Same here. AES is, as far as we know, pretty secure, so any problems are > going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid > as you can get. AES-GCM is a design or coding accident waiting to happen.
But for right now, what options do we have that are actually implemented somewhere? Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST, etc.), and I don't see any move towards TLS > 1.0. RC4 was good enough for a while, but with djb's new work - it's just waiting to be improved and made practical by someone. FWIW, we still use RC4 on our servers, but I'd be happy to see something else that is practical. Of course, the above attacks are probably not one of your worries when you're up against the NSA - your own system is probably much more endangered. Ralph _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography