using aes256
Werner Koch
wk at gnupg.org
Thu Oct 31 13:59:07 CET 2024
On Wed, 30 Oct 2024 17:53, Robert J. Hansen said:
>> Counter modes are evil and thus not used.
>
> Evil? Howso? I know there's a malleability problem, but GnuPG has
> used an HMAC since what, 1999, so that problem was mitigated decades
> ago. Is there another set of problems I'm unaware of?
All counter modes are fragile and are to easy to get wrong. It is the
same as with RC4: In theory easy to use in practise nobody gets this
right. GCM is RC4 on steroids and in its defence it tried to avoid
patent issues for authenticated encryption.
Here is a discussion thread triggered by WPA2 flaws due to the use of GCM:
https://www.metzdowd.com/pipermail/cryptography/2017-October/032895.html
and here on on GCM vs. OCB:
https://www.metzdowd.com/pipermail/cryptography/2021-February/036741.html
Of course some people don't have such strong opinions as Peter Gutmann
but our evaluators for GnuPG's VS-NfD approval also said: let us stay
away from GCM - it is too hard to get right.
BTW, we don't use HMAC in GnuPG except for PKCS#12, TPM, and the
experimental gpg-pair-tool.
For authenticated encryption we used to rely on the signature and later
(2001) introduced the MDC which is an ad-hoc method to achieve this by
running a hash over the plaintext and encrypt it along with the
plaintext.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20241031/693ad510/attachment.sig>
More information about the Gnupg-users
mailing list