W3C home > Mailing lists > Public > public-webcrypto@w3.org > September 2012

Re: Support for ECB

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 10 Sep 2012 11:50:14 -0700
Message-ID: <CACvaWvZo1OoSqDGJZ1evn09Xvs5sO1DKTam_ZVPTLwN3VbBfqw@mail.gmail.com>
To: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Cc: "David McGrew (mcgrew)" <mcgrew@cisco.com>, Wan-Teh Chang <wtc@google.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Mon, Sep 10, 2012 at 11:39 AM, Zooko Wilcox-OHearn
<zooko@leastauthority.com> wrote:
> I don't want to encourage people who know no better to pick ECB mode
> from a list of modes.
> But I do want to have access to a naked AES function for uses that
> aren't satisfied by any modes.


> Why not include a naked AES function, but don't list it among the
> optional modes and don't call it "ECB mode"? Call it "bare_AES" and
> specify it to raise an exception unless the data input is exactly one
> block long.

While I understand the desire to make it "harder to use == harder to
get wrong", I'm concerned that the latter requirement would be a real
loss for possible performance. The "ideal" situation is to throw all
of your data at processData(), and then let the onProgress/onComplete
spit back the result. That minimizes any crossing of security
boundaries, ACL checks, process/context/thread switches, etc.
Requiring block-size updates really just rules out all of those.

I think it depends on our naming (ISSUE-37) and how modes are handled
(ISSUE-29), but as we discussed early on, I'd support the concept of
an "unsafe" namespace or naming to indicate that this shouldn't be
used for "new" apps. Implementations that are doing "safe" things
(like implementing CCM atop ECB) would know that *their* use is safe,
whereas unskilled-in-the-cryptographic-dark-arts developers should
hopefully be suitably discouraged.

> Regards,
> Zooko
Received on Monday, 10 September 2012 18:50:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:13 UTC