Steve Weis: > Comments inline... > > On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy > <sean.a.cass...@gmail.com>wrote: > > > > - Any specific reason you picked CTR? > > CTR is widely recommended. Cryptography Engineering specifically > > recommends it.
I was puzzled by this recommendation. CTR has several bad propeties that can surprise you, and have bitten Tor as well. > The reason I ask is that this makes your IV-generation more critical than, > say, CBC, XTS, or other modes. If you have an IV collision, you'll leak > some message bits. Additionally to this, CTR allows bit-level maleability of the cleartext: a bit flipped in a CTR cipherstream translates into a bit flipped in the cleartext. In fact, if there are regions of known cleartext (such as zeroes) the adversary can do things like encode the originating IP in the cleartext simply by XORing it into the cipherstream. This property can cause problems if you perform any operations before checking the MAC (like evaluating a weak CRC to decide to forward the message or not). CBC on the other hand causes a single ciphertext bitflip to scramble a block of cleartext (16 or 32 bytes for 128bit vs 256bit) in an unpredictable and key-dependent way. -- Mike Perry
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech