On Saturday 20 Apr 2013 17:02:29 Ximin Luo wrote: > On 18/04/13 13:08, Matthew Toseland wrote: > > On Thursday 18 Apr 2013 07:34:28 Florent Daigniere wrote: > >> On Wed, Apr 17, 2013 at 11:59:16PM +0100, Ximin Luo wrote: > >>> OCB mode[1] is a CCA-secure[2] mode of encryption which means that it's > >>> secure against active attackers, which pretty much applies to anything on > >>> the internet. By contrast, non-authenticated encryption (anything without > >>> a MAC, e.g. AES-CBC, AES-CTR) is only CPA-secure[3] and breaks under an > >>> active attacker. > >>> > >>> You can build CCA-secure schemes by combining Enc() and Mac() operations > >>> (with different keys!). Enc(M)||Mac(Enc(M)) is generally secure; > >>> Enc(M||Mac(M)) and Enc(M)||Mac(M) can have security problems, the latter > >>> being more likely to be insecure. > >>> > >>> However, OCB is apparently faster than schemes that do > >>> authentication/encryption separately. It used to be patent-encumbered, > >>> but as of January 2013, the creator is giving an exception to open source > >>> projects.[4] > > > > It's essentially an adapted form of CBC. (Which means it's vulnerable to > > weak IVs, but that's not a big deal). So effectively it encrypts every > > block twice, as opposed to taking an HMAC at the end (= one hash of the > > whole packet and then one single block hash). Is hashing that much slower > > than crypto? > > OCB uses the underlying block cipher *once* for each block of plaintext, > whereas encrypt/mac combination schemes use it twice.
Okay then we should use it. We'll have to figure out how long a tag we want, and it degrades after 4PB, but since we rekey every half hour that's not a problem! :)
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
