Re: Support for ECB from Ryan Sleevi on 2012-09-14 (public-webcrypto@w3.org from September 2012)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 14 Sep 2012 15:47:59 -0700
To: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWva+fNzqwu2MvaDX2rw8ZCmF4UG+71DFN+XN3nwpWGLYHg@mail.gmail.com>

On Fri, Sep 14, 2012 at 3:01 PM, Zooko Wilcox-OHearn
<zooko@leastauthority.com> wrote:
> Folks:
>
> Vijay: clever idea.
>
> To Ryan's hypothetical example of using ECB mode to compute a
> non-standard CTR mode efficiently, I'd like to add Vijay's
> hypothetical example of using ECB mode to compute a number of separate
> things (generating IVs, in the example) efficiently. I'm still not
> aware of any actual use of ECB mode in practice which isn't fatally
> flawed, however!
>
> Regards,
>
> Zooko
>

Sorry that I wasn't clearer earlier. This is exactly how I imagine a
"correct" or "ideal" usage of this API - whether CTR or IV.

For example, my application might repeatedly expand a counter block
(eg: pre-computing the counter for 1000 16-byte blocks), or in Vijay's
case, generate 1000 16-byte IVs, and then pass that entire stream into
the ECB.

I'm not sure if mandating one-call-per-block does anything to prevent
its misuse, but it makes it rather hard from an implementation
standpoint to make any good optimizations.

I agree, the ideal goal is to be able to declaratively describe how
things should be done (eg: declare the counter's incrementing function
in terms of bits and offsets via supporting a CTR mode of operation),
but absent that, I don't think we should necessarily penalize the
non-declarative approach.

It seems like your main objection is just whether or not we call the
"AES function" as "ECB mode", since functionally they yield identical
results (for single block or multiple blocks). I'm just wanting to
make sure we've progressed to discussing semantics, or if there is
still a functional objection being raised here.

I'm not aware of any safe usages of ECB-the-mode either, so I'd agree
with you that it's not meant for general/safe consumption, but I'm not
sure the semantic renaming makes things any better or worse for
security. Calling the mode "AES" or "AES-RAW" is, I think, as equally
likely to be 'abused', and perhaps more likely to be misunderstood
"I'm use 'AES' because AES is safe, right?"

Received on Friday, 14 September 2012 22:48:27 UTC