[mosh-devel] Why OCB mode?

Keith Winstein keithw at MIT.EDU
Sun Apr 15 14:23:05 EDT 2012 

Hello Wen,

Thanks for your e-mail. The main reason we chose OCB is that it was
available in an implementation we can actually deploy. My
understanding is that GCM and CCM did not ship in OpenSSL until about
a month ago (the day after we released mosh 1.0). Almost nobody has
this version of OpenSSL installed on their system or available from
their package manager, and we wouldn't want to require users to
upgrade to a bleeding-edge version of OpenSSL just to use mosh. I'm
not aware of a clean discrete implementation of these modes that we
would want to ship either.

To the extent there's a de-facto standard, I think it is probably in
favor of CTR (or other more-conventional cipher modes) plus HMAC, not
OCB, GCM or CCM.

The patent license for OCB covers mosh, and is contained in the
ocb-license.html file we distribute.

I don't think mosh is a particularly performance-sensitive
application, but these links from the OCB folks may interest you more
generally:

http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm
http://www.cs.ucdavis.edu/~rogaway/ocb/performance/

Best regards,
Keith

On Sun, Apr 15, 2012 at 2:28 AM, Wen Li <wenli380 at gmail.com> wrote:
> What is your justification for using patented software (OCB mode) when
> many patent-free alternatives are available? The de-facto standard now
> is Galois/Counter (GCM) mode, which provides numerous advantages.
>
> - GCM is patent-free
> - Using OCB forces you to license Mosh under the GNU GPL (due to the
> author's license), but using GCM will allow you to use any license you
> want.
> - GCM requires less binary size, because it only uses AES in encrypt
> mode while OCB uses both encrypt and decrypt mode.
> - GCM provides similar performance to OCB and is faster in software
> for very small packets (which is probably applicable to Mosh)
> - Most studies show that GCM would be far faster in hardware for the same cost
> - GCM allows you to have additional authenticated data (AAD) that
> exceeds the block cipher length, unlike OCB
> - GCM can be used as a standalone MAC, unlike OCB
> - GCM is certified by the NSA and used in TLS, SSH, future 802.11ac,
> etc. OCB does not have widespread use/certification and probably not
> the same amount of analysis.
>
> Personally, I would not adopt your software for fear of getting sued
> for patent infringement. The author of OCB (Phillip Rogaway) has made
> it clear that he intends to make full profit off his patent, which has
> blocked OCB from various standards. This is despite the fact that it
> provides no real advantages over GCM.
> _______________________________________________
> mosh-devel mailing list
> mosh-devel at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-devel

More information about the mosh-devel mailing list