|
|
|
|
|
|
by tptacek
6076 days ago
|
|
|
I think interfaces like this are a step in the right direction, not because they're likely to be correct, but because there's only one implementation to get correct instead of thousands. The AE modes --- CCM, EAX, and GCM being the most popular --- are your safest bet when picking a block cipher mode. But ask yourself: if you're being asked to think about what a block cipher mode is, are you working at the right level of abstraction? For instance: we've beat CCM constructions that couldn't properly generate a nonce at cold start (you combine a flaw like that with a crasher bug and you have a weaponizable attack), and we've seen CCM schemes whether the counter didn't have enough granularity and could be forced to wrap, which can make your scheme vulnerable to pencil-and-paper attacks. Do you know what I'm talking about here? If not, that's kind of my point. I really appreciate anybody who takes the time to point out that encryption is not the same as authentication, and that you have to do both to make a system secure. And I really appreciate anybody who evangelizes for a high-level interface, as opposed to one where you have to know that you're encrypting byte-by-byte (EAX) instead of block-by-block (CBC). I still think the soundest advice you can get is, "rely on TLS if you're moving data, and rely on PGP/GPG if you're storing it; if you have a problem that doesn't fit these perfectly, refactor your problem". |
|
|
http://www.keyczar.org/
Here's some sample code in python:
http://code.google.com/p/keyczar/wiki/SamplePythonUsage