W3C home > Mailing lists > Public > public-webcrypto@w3.org > September 2012

Re: Support for ECB

From: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Date: Sat, 15 Sep 2012 07:45:45 -0600
Message-ID: <CAM_a8Jw3205qqP=hL_izQdXnUyAs1a21Fqw38iGcs8_W1hacRA@mail.gmail.com>
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
following-up to my own post...


On Sat, Sep 15, 2012 at 2:56 AM, Zooko Wilcox-OHearn
<zooko@leastauthority.com> wrote:
>
> My main objection to standardizing ECB mode is that I have often seen
> it used unsafely, and I haven't seen evidence that anyone has ever
> used it safely in practice.

After I wrote this, I chatted with CodesInChaos ¹ on IRC, who
mentioned that he had implemented CTR mode in .NET using the ECB mode
provided by .NET, since .NET didn't include CTR mode. So now I have an
example of someone actually using Ryan's hack in real life.
CodesInChaos hasn't published his work so I can't link to it or
examine it.

¹ http://codesinchaos.wordpress.com/

Note that this particular need would not arise for programmers using
implementations of webcrypto, since that specification defines CTR
mode and implementations would hopefully provide a native CTR mode. It
would still be needed for non-standard (non-incrementing) CTR mode or,
as Vijay suggested, for other "vectorized AES function" applications.

I still think that webcrypto standard should omit ECB mode. Misuses of
it that compromise user confidentiality are very common. Legitimate
uses of it for more efficient implementation of other crypto schemes
are, while not entirely non-existent, extremely rare.

Regards,

Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep -- Least Authority Enterprises

https://leastauthority.com
Received on Saturday, 15 September 2012 13:46:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 15 September 2012 13:46:14 GMT