Camellia project proposal
raeburn at MIT.EDU
Thu Dec 10 18:03:34 EST 2009
On Dec 8, 2009, at 14:35, Sam Hartman wrote:
> However, I would strongly object to an enctype that did not have
> self-describing tokens--that is, an enctype where the plaintext length
> cannot be inferred from the decrypted token.
I think it'd be a nice property to have, but given the existence of
DES and 3DES, we've already lost the ability to take advantage of it
in any real way (we need the self-describing ASN.1 DER encoding), so
I'm not sure what it buys us now.
That said, I'd prefer a studied authenticated encryption mode, rather
than continuing to roll our own, so I'd lean towards CCM or GCM.
Especially if it's an AEAD mode we can use securely in both degenerate
cases we'd care about -- all encrypted data with no associated data,
or no encrypted data and a blob of "associated" data -- so we get both
encryption and checksum operations out of the mode.
More information about the krbdev