Camellia project proposal

Ken Raeburn raeburn at MIT.EDU
Thu Dec 10 18:03:34 EST 2009

On Dec 8, 2009, at 14:35, Sam Hartman wrote:
> However, I would strongly object to an enctype that did not have
> self-describing tokens--that is, an enctype where the plaintext length
> cannot be inferred from the decrypted token.

I think it'd be a nice property to have, but given the existence of  
DES and 3DES, we've already lost the ability to take advantage of it  
in any real way (we need the self-describing ASN.1 DER encoding), so  
I'm not sure what it buys us now.

That said, I'd prefer a studied authenticated encryption mode, rather  
than continuing to roll our own, so I'd lean towards CCM or GCM.   
Especially if it's an AEAD mode we can use securely in both degenerate  
cases we'd care about -- all encrypted data with no associated data,  
or no encrypted data and a blob of "associated" data -- so we get both  
encryption and checksum operations out of the mode.


More information about the krbdev mailing list