W3C home > Mailing lists > Public > public-webcrypto@w3.org > September 2012

Re: Support for ECB - proposal for a decision

From: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Date: Tue, 25 Sep 2012 20:50:51 -0600
Message-ID: <CAM_a8JwBaG9YX8Wbg-FkSjoLrHhc-ozn1gQTaCiywedNu8BsZA@mail.gmail.com>
To: Harry Halpin <hhalpin@w3.org>
Cc: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>, Ryan Sleevi <sleevi@google.com>, Emily Stark <estark@mit.edu>, Richard Barnes <richard.barnes@cleverdis.com>, Anthony Nadalin <tonynad@microsoft.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
I'm sorry I missed the conference call yesterday. I'll endeavour to
attend the next one.

I had an idea inspired by Ryan's arguments about efficiency, that I
haven't had time to properly write up and send to the list. Ryan's
argument that ECB mode could used as a more efficient way to apply the
AES function to a series of input blocks does motivate me. Efficiency
is (sometimes) important.

The idea is: we define a "vector AES" function or "SIMD AES" function,
which takes as its arguments an array of 16-byte blocks and a key.
This would hopefully be more discoverable to someone who is looking
for applying AES in vector form for efficiency (so that they won't be
like I was, and overlook the option of using ECB mode for that
purpose), and it would hopefully be *less* discoverable to someone who
is looking for AES encryption of a variable-length plaintext.

Other operations could also be more efficient in a vector, or "batch",
application, such as application of an HMAC to an array of messages,
yielding an array of tags, which could be performed in parallel
instead of in series if the spec provided a "vector HMAC" call. Or
vector application of a hash function to an array of inputs, yielding
an array of hash values in a "vector SHA-256" call. That could be much
more efficient (on certain architectures involving SIMD and/or
multiple processors) than the equivalent loop over a "single SHA-256"

Some crypto operations can be optimized in even funkier ways than the
normal parallelization/SIMD optimization, such as "batch forgery
identification" in digital signatures.

I think the proposal of providing ECB mode as one of the listed modes
of operation, but including documentation warning about it, is the
same thing that has been tried many times before and has lef to
failures. As I've said, misuse of ECB mode is very common. It happens
so often that another such security failure crossed my desk during
this very conversation. Well, those libraries that have been misused
in that way often include documentation warning about ECB mode. The
recent one that I mentioned — PyCrypto — had this warning in the
documentation of its implementation of ECB mode: “This mode exposes
frequency of symbols in your plaintext. Other modes (e.g. CBC) should
be used instead.” ¹.

Perhaps such warnings have historically not been phrased strongly
enough. Perhaps instead the documentation could say something like
“This mode is insecure when used to encrypt plaintext. It leaks
information about the plaintext, and in many cases the entire
plaintext can be recovered from that information. Do not use this mode
of operation for encryption. It is provided only for use as a
parallelized application of the AES function to non-secret inputs,
such as for implementing a custom CTR mode with a non-standard counter

However it seems likely that the programmers don't really read or
understand the warning in the PyCrypto documentation. Perhaps they
look at the list of the modes of operation, see that one of them is
easier to use because it doesn't require a mysterious object called an
"IV", and so they use that mode.

The suggestion that we should specify a standard for ECB mode for
efficiency reasons carries some weight with me. Efficiency (sometimes)
matters. I wonder if the proposal above to make a feature which is
explicitly useful for vector efficiency would satisfy that need.

But I don't agree with reason that we should specify a standard for
ECB mode because people currently use it. I haven't seen evidence that
our users use ECB mode. I've never seen a use of ECB mode which wasn't
fatally insecure and didn't require immediate alteration or
mitigation. I've *heard* of one (from a fellow named "CodesInChaos" on
IRC a couple of weeks ago), but he hasn't published his work, and
anyway if he is the only person who has done that then it is a very
rare usage. I think the idea that people use ECB mode might be a
mistaken impression from people using a straight AES function, such as
Vijay saying that Microsoft's Bitlocker software uses ECB mode, when
in fact it does not.

If anyone else has examples of people using ECB mode in practice,
either securely or insecurely, please share them with me.

Thanks, folks!



¹ https://www.dlitz.net/software/pycrypto/api/current/
Received on Wednesday, 26 September 2012 02:51:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 26 September 2012 02:51:16 GMT