Jon Callas <j...@callas.org> writes: >How do you feel (heh, I typoed that as "feal") about the other AEAD modes?
If it's not a stream cipher and doesn't fail catastrophically with IV reuse then it's probably as good as any other mode. Problem is that at the moment modes like AES-CTR are being promulgated as fashion statements without any consideration about operational deployment, when what we should be promoting is something that's safely and effectively deployable. Someblockcipher-CBC + HMAC is a nice safe bet, run your HMAC, do a constant-time compare of the result, toss the encrypted data if you get a verify failure, otherwise decrypt, it's pretty straightforward. Peter. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography