lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Dec 2016 17:05:36 +0100
From: Erik Auerswald <>
Subject: Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache


On Tue, Dec 27, 2016 at 09:01:49AM -0800, Tim wrote:
> [...]
> > 
> > But there still are people who use CBC...
> > [...]
> All traditional modes that lack integrity protection are vulnerable to
> chosen-ciphertext attacks in these kinds of scenarios.
> [...]
> All traditional modes need a MAC or similar integrity protection.

That is correct.

> In light of that, there's
> nothing particularly wrong with using CBC, if it is implemented well.
> At least, using it is not *more* wrong than using OFB, CFB, or CTR

That is wrong. CBC mode allows attacks such as "Sweet32"
(, which is not possible with CTR mode.

> without integrity protection.

Correct again, but too simple minded. Any encryption without integrity
protection does not provide confidentiality against an active attacker.
Using the wrong mode with a block cipher can render authentication
irrelevant in attacks on confidentiality.

> [...]
> We should instead be pointing developers in
> the direction of using something off-the-shelf [...].
> Much less room for error.

That is sound advice. In addition, broken ciphers, modes, and protocols
still implemented for backwards compatibility should not be used.

[A]pplied cryptography mostly sucks.
                        -- Green's law of applied cryptography

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists