Encryptstick alternative5/28/2023 ![]() ![]() One important difference - and a reason implementers have historically preferred block ciphers - is that many block cipher modes allow you to randomly access just a portion of an encrypted message, without wasting time decrypting the whole thing. Block ciphers can be configured to do the same thing ( e.g., by running them in CTR or OFB mode), but they can also process plaintext blocks in other ways. Now, just for the record, Salsa20 is a stream cipher, while AES is a block cipher. This distinction is important: stream ciphers produce a string of pseudo-random output bits which are XORed with the message to be encrypted. This is mostly due to Salsa20’s performance characteristics, but also because people are growing increasingly confident in its security. What are they? Should you trust them? And most importantly: what will they buy you? Salsa20īased on an informal (and totally unscientific poll), the consensus among advanced AES-switchers is that Salsa20 has a lot going for it. But let’s say that you’ve already made the decision to explore more recent, modern alternatives. ![]() In fact, ditching AES would be the opposite of my recommendation. Now I’m not saying that any of these (except possibly for the last reason) are good reasons to ditch AES. And in a few cases your performance constraints are so tight that AES just isn’t fast enough. ![]() Good implementations take this into account, but even the best ones aren’t perfect. To make it run fast you have to expand the key and pre-compute a series of tables - all of which increases key setup time and potentially makes you vulnerable to cache timing attacks. The second (less paranoid) objection is that AES is somewhat troublesome to implement in software. In just the last few years we’ve seen a few impractical attacks on the construction, which could be beginning of a trend. So why not just stick with AES? People who have these discussions generally give a variety of reasons, some of which are more valid than others. First, there’s what I call the ‘slight paranoia’ viewpoint, which holds that AES has been around for a long time and could (soon/someday) fail. If that’s not enough for you, many processors now support AES operations natively, meaning that your application can now offload most of the work to hardware without the help of an expensive co-processor. Not only is AES is the NIST standard (certified in FIPS 140 and NSA’s Suite B), but there are hundreds of solid implementations to choose from. Moreover, the simple advice on AES mirrors the ancient wisdom about IBM: nobody ever got fired for choosing it. In fact, this whole point of view is so rarified that I’ve debated whether to even write this post, since my opinion is that AES is the last place your system is going to break down - and you should be focusing your attention on fixing all the other broken things first. ![]() These discussions always make me leery, since they begin with facts not in evidence, and rarely inspire any confidence that the solution is going to be any better than the ‘problem’. Once in a while I run into discussions that hinge on the following dubious proposition: that AES is bad and we need to replace it. ![]()
0 Comments
Leave a Reply. |