- From: Zooko Wilcox-OHearn <zooko@leastauthority.com>
- Date: Sat, 15 Sep 2012 07:45:45 -0600
- To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
following-up to my own post... On Sat, Sep 15, 2012 at 2:56 AM, Zooko Wilcox-OHearn <zooko@leastauthority.com> wrote: > > My main objection to standardizing ECB mode is that I have often seen > it used unsafely, and I haven't seen evidence that anyone has ever > used it safely in practice. After I wrote this, I chatted with CodesInChaos ¹ on IRC, who mentioned that he had implemented CTR mode in .NET using the ECB mode provided by .NET, since .NET didn't include CTR mode. So now I have an example of someone actually using Ryan's hack in real life. CodesInChaos hasn't published his work so I can't link to it or examine it. ¹ http://codesinchaos.wordpress.com/ Note that this particular need would not arise for programmers using implementations of webcrypto, since that specification defines CTR mode and implementations would hopefully provide a native CTR mode. It would still be needed for non-standard (non-incrementing) CTR mode or, as Vijay suggested, for other "vectorized AES function" applications. I still think that webcrypto standard should omit ECB mode. Misuses of it that compromise user confidentiality are very common. Legitimate uses of it for more efficient implementation of other crypto schemes are, while not entirely non-existent, extremely rare. Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Support Rep -- Least Authority Enterprises https://leastauthority.com
Received on Saturday, 15 September 2012 13:46:13 UTC