[Ach] The sad story of lonely AES-CTR

[Aaron Zauner]

Well. AES-CBC isn’t either. You’ll have to use some HMAC for that in the cipher suite of course.

AES-CTR does not have (to the best of my knowledge) vulnerabilities currently known and you can parallelize it very well in hardware and software (you can’t do that with chaining modes like CBC).

Aaron

On 18 Dec 2013, at 09:15, robin.balean at a-trust.at wrote:

> The reason is probably because AES-CTR is not an authenticated encryption mode.  It just provides encryption.
> 
> Robin
> 
> -----Ursprüngliche Nachricht-----
> Von: ach-bounces at lists.cert.at [mailto:ach-bounces at lists.cert.at] Im Auftrag von Aaron Zauner
> Gesendet: Dienstag, 17. Dezember 2013 20:26
> An: ach at lists.cert.at List Mailing
> Betreff: [Ach] The sad story of lonely AES-CTR
> 
> Ohai.
> 
> Does anyone know why OpenSSL 1.0.1e supports AES-CTR as block cipher mode but misses AES-CTR completely in ciphersuites?
> 
> As it seems Counter Mode never made it to the RFC: http://tools.ietf.org/html/rfc5288
> GCM did.
> 
> “If my calculations are correct” AES-CTR would be significantly faster than AES-GCM (since openssl speed does not support benching aes-gcm nor aes-ctr I simply went for a complexity comparison - I should maybe write a real test for that as well).
> 
> 
> BTW. Ben Laurie commited an exotic chaining mode called IGE to OpenSSL some time ago:
> “”"
> Infinite Garble Extension (IGE) is a block cipher mode[1]. It has the property that errors are propagated forward indefinitely. Bi-directional IGE (biIGE) propogates errors in both directions: that is, any change to the ciphertext will cause all of the plaintext to be corrupted. 
> “”"
> http://www.links.org/files/openssl-ige.pdf
> 
> Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131218/7d49f892/attachment.sig>