I am busy writing the drafts for proposing the JSContact exchange scheme to this group.
One of the concerns that comes up is that AES-GCM remains a technique that turns a nice robust block cipher into a stream cipher and that makes it rather fragile when considering all the possible ways the botched and the bungles could mis-implement things. Yes, I know formal methods are all the rage, been there, done that, might even collect the bit of paper with the ribbon some day. The problem with formal methods is that they only reveal the security of the system you analyze and only with respect to the concerns your tools are able to address. And the problem I have as a protocol designer is that you can end up with a scheme that is formally verifiable but brittle in operation. Case in point here being VENONA which led to the execution of the Rosenbergs despite one time pads being a provably perfect cipher. GCM-SIV is one possible option but it requires two pass processing which is OK for encrypting IP packets but severely limits application of the result. The DARE Envelope construct I am using as a basis was originally designed to support exchange of encrypted ZIP-like archives containing TBs of files. Single pass processing really is a must. AES-OCB is much better, it is robust even with IV reuse and we would likely have used it in place of GCM if there hadn't been three sets of conflicting patent claims. I know one version has issues but the scheme described in RFC7253 is generally believed to be sound. Phil Rogaway invented much of the apparatus used for formal analysis of symmetric algorithms. What I propose is adding A128OCB, A192OCB, and A256OCB to the registry of algorithms following the same approach as AES-GCM. They are just a drop in replacement.
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
