W3C home > Mailing lists > Public > public-webcrypto@w3.org > September 2012

Re: Support for ECB - proposal for a decision

From: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Date: Wed, 26 Sep 2012 05:25:29 -0600
Message-ID: <CAM_a8JxE1ETuPTy7NB=ke=CqqzQ4PU3oVROYNiMQU4i5y-oKOQ@mail.gmail.com>
To: Tom Ritter <tom@ritter.vg>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Hi Tom, thanks for the reply.

On Tue, Sep 25, 2012 at 8:58 PM, Tom Ritter <tom@ritter.vg> wrote:
>
> without ECB mode, I don't believe it would be possible to implement OpenPGP's CFB variant: http://tools.ietf.org/html/rfc4880#section-13.9

I don't follow. Wouldn't you use a simple AES function to implement
PGP CFB? It isn't amenable to parallel processing since the N+1'th
block depends on the output of the N'th block's encryption. (Is that
right? I don't understand that mode very well.)

Just to be clear, I consider these two things to be very different:

1. A function which, if its input is ≤ 16 bytes, returns the
encryption of that input with AES, and if the input is > 16 bytes,
raises an exception.

2. A function which, it its input is ≤ 16 bytes, returns the
encryption of that input with AES, and if the input is > 16 bytes,
leaks the input (or at least partial information about the input) to
any eavesdroppers.

I regard the former, which I call a "bare AES function" as an
unquestionable necessity for the WebCrypto low-level API, and the
latter, which I call "ECB mode" as both dangerous and unnecessary. The
fact that some people think that the difference between these two
functions isn't worth formalizing just perplexes me, quite honestly.

I understand how they are quite close to each other in the abstract,
but to my mind, the difference between them matters a great deal in
practice. A bare AES function is necessary for all sorts of useful
crypto such as Bitlocker. ECB mode is used either never or very
rarely, except in unsafe ways that can endanger the lives and safety
of innocent users.

If I understand correctly, to implement PGP CFB mode, you could use a
simple AES function, and an ECB mode or a vectorized AES function such
as I suggested recently wouldn't be a performance improvement. Is that
right?

Thanks!

Regards,

Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep

https://LeastAuthority.com/
Received on Wednesday, 26 September 2012 11:25:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 26 September 2012 11:25:59 GMT