Support for AES ECB

Since Virginie asked for opinions on this issue I felt inclined providing one :-)

General: I understand that Ryan et al do not want to encourage the use of inferior crypto.
Neither do I but I would rather write something like "Not recommended for new designs".
This particular algorithm is actually *widely deployed* and in a (NDA protected) context where the inferiority doesn't have much impact.

Related: A system like WebCrypto makes it simple to design new cryptographically secured protocols.
In my experience, it is quite easy designing bad protocols albeit using excellent cryptographic algorithms.
A real-world example is BSI's EAC (Extended Authorization Control) used in passports:

EAC presumes the use of an HSM which sounds very secure, right?  EAC builds on frequent and automated certificate renewals where the *current* key is used to sign a renewal request containing the *new public key*.  So far so good?  Well, standard HSMs do not have the ability to attest that the *new* key-pair actually resides and was created in the HSM.  So in spite of using state-of-the-art cryptographic algorithms, the *system* (IMO) is pretty broken.


Received on Monday, 10 September 2012 10:56:30 UTC