Log in

Thu, May. 19th, 2011, 09:29 pm
cdcash [cseweb.ucsd.edu]

I certainly agree that Practical Cryptography feels outdated, and readers should be warned about the problematic parts. Here are a few thoughts and questions from a theoretical crypto POV:

For an encryption mode, you should always use CTR, and always use a nonce of zero, and never reuse keys.

I'm interested to hear more about why this is true. Certainly there are times when you want to reuse keys and use modes that provide more security than that :-).

You should always do encryption as a layer outside of authentication.

It sounds like you are suggesting the opposite of what you should do, which is encrypt first, and then authenticate the ciphertext. Authenticating the plaintext before encrypting is not safe.

For an RSA exponent, you should always use 2. Technically that's Rabin-Williams, and requires slightly different implementation, but that actually works in its favor. Rabin-Williams has a reduction to factoring, RSA does not.

I think suggesting that practitioners dig into implementations of the number-theoretic algorithms (as would be necessary here) is likely to lead to exploitable bugs. Moreover, even a proper implementation of Rabin-Williams would not increase security in practice, unless the sky falls and we find algorithms for inverting the RSA trapdoor function that do something other than factoring. And what's worse is that in practice you'll be using a padding scheme like PKCS#1v1.5, which means the reduction no longer applies. Even if you used OAEP instead, the reduction would be in the random oracle model, further clouding the significance of a reduction to factoring vs RSA inversion.

This is all ignoring the fact that low-exponent (e=3) RSA has lead to vulnerabilities in the past...

You should never use the same key for both encryption and authentication. If you need both encryption and authentication, you should use two keys. One for encryption, and one for authentication.

This is good advice, unless you're using an authenticated encryption mode like GCM. It would be good to be more complete on when it applies.

No HTML allowed in subject


Notice! This user has turned on the option that logs IP addresses of anonymous posters. 

(will be screened)