[cryptography] Workshop on Real-World Cryptography

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Mar 4 03:22:48 EST 2013


Jon Callas <jon at callas.org> writes:

>(Personally, I don't like GCM. I think it's too tetchy. But I'm pretty blase
>about PKCS#1, because I'm used to pouring over it to make sure it's done
>right.)

Same here.  GCM combines the scariest features of CTR mode (it's RC4 all over 
again, apart from SSL people have managed to get that wrong almost everywhere 
it's been used) and GHASH (all the side-channels you can eat).  With CBC+HMAC 
we at least know what we're getting and can defend against it, with GCM 
there's years of attacks still waiting to be published.

Peter.



More information about the cryptography mailing list