[mosh-devel] Why OCB mode?

Sun Apr 15 17:18:23 EDT 2012

Hi Keith, thanks for your reply. I understand your reasons for
choosing OCB but I just hope that you would consider supporting open
standards (GCM, CCM, EAX, etc) in favor of proprietary ones (OCB).

GCM, CCM, and EAX are available in the public domain Crypto++ library
(available in most distributions, or you can static link). You can
also find a standalone implementation of these algorithms at
http://gladman.plushost.co.uk/oldsite/AES/, which is available under a
similar license to the OCB code you are using. Both of these have been
around for quite a while.

On Sun, Apr 15, 2012 at 12:23 PM, Keith Winstein <keithw at mit.edu> wrote:
> Hello Wen,
>
> Thanks for your e-mail. The main reason we chose OCB is that it was
> available in an implementation we can actually deploy. My
> understanding is that GCM and CCM did not ship in OpenSSL until about
> a month ago (the day after we released mosh 1.0). Almost nobody has
> this version of OpenSSL installed on their system or available from
> their package manager, and we wouldn't want to require users to
> upgrade to a bleeding-edge version of OpenSSL just to use mosh. I'm
> not aware of a clean discrete implementation of these modes that we
> would want to ship either.
>
> To the extent there's a de-facto standard, I think it is probably in
> favor of CTR (or other more-conventional cipher modes) plus HMAC, not
> OCB, GCM or CCM.
>
> The patent license for OCB covers mosh, and is contained in the
> ocb-license.html file we distribute.
>
> I don't think mosh is a particularly performance-sensitive
> application, but these links from the OCB folks may interest you more
> generally:
>
> http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm
> http://www.cs.ucdavis.edu/~rogaway/ocb/performance/
>
> Best regards,
> Keith
>
> On Sun, Apr 15, 2012 at 2:28 AM, Wen Li <wenli380 at gmail.com> wrote:
>> What is your justification for using patented software (OCB mode) when
>> many patent-free alternatives are available? The de-facto standard now
>> is Galois/Counter (GCM) mode, which provides numerous advantages.
>>
>> - GCM is patent-free
>> - Using OCB forces you to license Mosh under the GNU GPL (due to the
>> author's license), but using GCM will allow you to use any license you
>> want.
>> - GCM requires less binary size, because it only uses AES in encrypt
>> mode while OCB uses both encrypt and decrypt mode.
>> - GCM provides similar performance to OCB and is faster in software
>> for very small packets (which is probably applicable to Mosh)
>> - Most studies show that GCM would be far faster in hardware for the same cost
>> - GCM allows you to have additional authenticated data (AAD) that
>> exceeds the block cipher length, unlike OCB
>> - GCM can be used as a standalone MAC, unlike OCB
>> - GCM is certified by the NSA and used in TLS, SSH, future 802.11ac,
>> etc. OCB does not have widespread use/certification and probably not
>> the same amount of analysis.
>>
>> Personally, I would not adopt your software for fear of getting sued
>> for patent infringement. The author of OCB (Phillip Rogaway) has made
>> it clear that he intends to make full profit off his patent, which has
>> blocked OCB from various standards. This is despite the fact that it
>> provides no real advantages over GCM.
>> _______________________________________________
>> mosh-devel mailing list
>> mosh-devel at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/mosh-devel