Let's be clear about this, Colin. You're saying that EAX and CCM implementations are so untrustworthy that lay developers should implement their moral equivalents (substituting CBC-MAC and OMAC for HMAC) by hand.

In order to use CTR+HMAC, you have to design your own construction to do so. You likely have to implement HMAC yourself. You have to determine when to apply it, and where to put it in your messages.

CCM and EAX remove those degrees of freedom, which is exactly what you want: the fewer decisions a developer/designer needs to make, the fewer opportunities for things to blow up.

It's the places where primitives join together --- encryption with MAC, for instance --- where crypto protocols are broken. The person who uses OpenSSL is far more likely to make a fatal error than the OpenSSL developers themselves.

With all due respect to Colin, I think this take on how to minimize attack surface is, well, asinine. I think it's based on a bias against crypto library developers, based on the fact that Colin probably knows more about crypto than they do.

Stipulated.

But the point isn't that OpenSSL developers are better, or even comparable to Colin. It's that their code is 1000x more likely to be reviewed than anything anybody else writes. Your hand-hacked CTR + HMAC protocol isn't going to be reviewed by anyone who doesn't have a direct financial interest in your code.

I don't know from where you get the idea that Encrypt-then-MAC is not a standard construction. Encrypt-then-MAC was a standard construction long before EAX and CCM were invented -- in fact, in the paper where EAX is introduced, it is actually defined as an Encrypt-then-MAC composition!

It's the places where primitives join together --- encryption with MAC, for instance --- where crypto protocols are broken.

If you look carefully at recent breaks, they have been in Encrypt-and-MAC and MAC-then-Encrypt -- both of which I specifically mention as inferior to Encrypt-then-MAC.

With all due respect to Colin, I think this take on how to minimize attack surface is, well, asinine. I think it's based on a bias against crypto library developers, based on the fact that Colin probably knows more about crypto than they do.

I apply the same approach of minimizing attack surface even when it's only my own code which is being attacked. The question isn't how prone some code is to vulnerabilities (although in the examples I gave, there certainly is a poor track record) -- the issue is engineering code to eliminate potential risks.

By contrast, EAX is a NIST standard.

I don't find your argument particularly convincing. This "encrypt-then-MAC" thing is a total red herring. You're not advocating for the idiom. You're advocating for people to build their own nonstandard versions of it, because you don't like the library code that already exists for the standard versions.

Let's cut to the chase. I can point out HMAC vulnerabilities. Nate's Google Keyczar finding. SNMPv3. That's 15 seconds worth of research. [edit SSH screwed up HMAC as well.]

It should be at least as easy for you to give me two published implementation flaws in a CCM or EAX implementation. Go.

Funny you mention that. The flaw Nate pointed out in Google keyczar can also affect CCM or EAX (or, for that matter, any authenticated encryption method).

It should be at least as easy for you to give me two published implementation flaws in a CCM or EAX implementation. Go.

Sure:

http://people.csail.mit.edu/tromer/papers/cache.pdf http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

Of course, neither of these two papers mention CCM or EAX -- but the flaws they mention apply to both CCM and EAX (because an attacker can cause you to input a block of his choice to your AES core) while not affecting CTR-then-HMAC.

Second, I cited SSH, SNMPv3, and Keyczar. You responded with localhost cache timing of AES and remote cache timing of naked AES. There's an obvious difference between the two sets: one consists of real attacks, the other of speculative attacks. If your point is valid, it shouldn't be hard for you to name one system in which CCM or EAX were "broken" --- and I'll give you any definition of broken you choose --- because of these papers.

They're both great papers. But I don't think they make the argument you think they do.

Of course not -- keyczar doesn't implement CCM or EAX. But the fact that CCM and EAX are obscure shouldn't count as a point in their favour.

There's an obvious difference between the two sets: one consists of real attacks, the other of speculative attacks.

The Bernstein and Oskiv-Shamir-Tromer attacks were not at all speculative. They showed the concrete theft of a key.

If your point is valid, it shouldn't be hard for you to name one system in which CCM or EAX were "broken" --- and I'll give you any definition of broken you choose --- because of these papers.

I don't know of any systems which use CCM or EAX in software on general-purpose hardware -- but if you name me a system which uses OpenSSL's AES code circa early 2005 in EAX mode, I'll name you a system which was vulnerable to a timing side channel.

Tally ho, Colin! Looking forward to what you find; I'm sure I'll learn something. If Bernstein's attack was really that relevant to real-world cryptosystems, I'm sure you'll come back with something fun.

Which is my real issue. I think Colin's probably right that --- in the abstract --- using HMAC (which doesn't use AES) instead of OMAC (which does) addresses an attack vector. But that attack vector is extremely unlikely, and it's OpenSSL's problem, not yours. Building your own protocol adds tens more vectors, all of which are your problem, and all of which are more likely than a key extraction attack through OMAC that will make your attacker famous.

You're so far better off not trying to implement any of this stuff that it's almost not worth studying. PGP at rest, TLS in motion. Spend your time and heartache on something that will make you money, not something that will get you laughed at by asshole pentesters.

I concur with you that new cryptographic protocols are likely to be flawed, and your recent blog post on that subject was excellent reading.

Idle meta-point: is it just me, or do algorithms that actually encode lengths and counts have a bad track record? MD5, CTR, CCM...

I was more thinking about how the cipher input has a predictable structure, in particular every pair of adjacent blocks differ by only a single fixed bit. This isn't an issue unless the underlying block cipher is badly broken, but it still feels unnecessarily risky.

That's not much of a problem with CTR mode --- CTR encrypts keystream, and XORs your data, so your data doesn't actually influence AES state much --- but it's a potential problem with CBC-MAC or OMAC, which do feed your data through AES.

It feels to me like Colin has a legitimate point --- side channel key extraction would be pretty hard if you had to do it from HMAC instead of with AES --- but that the person who actually came up with a side-channel exploit in a real-world OMAC (EAX) system would get famous over it.

The person who breaks your hand-hacked CTR+HMAC code, which will inevitably contain flaws because it will get no real review... that person doesn't get famous. Her win was entirely predictable.

    e := encrypt(x)
    e := e + sep + hmac(e)

    e, m := split(e, sep)
    if m = hmac(e):
        x := decrypt(e)

The issue isn't that EAX is easier to implement than CTR+HMAC. EAX is actually harder to implement than CTR+HMAC.

The issue is that someone will have already written EAX for you, because EAX is a NIST standard that is used in actual fielded systems. There is no NIST standard AE construction (that I know of; I'm not an expert) that combines CTR and HMAC. You'll have to implement it yourself.

Colin points out (rightly, in the narrow scope he drew) that Google could have made the same error with CBC-MAC or OMAC; they'd still be comparing bytes directly, not doing the safe XOR comparison.

But Colin is making my point for me. Because if you used EAX or CCM, you wouldn't be implementing that compare for yourself; it'd be taken care for you by the block cipher mode, which would yield either a plaintext or a failure.

Yes, the library designer could make that mistake too; after all, Google did! But again, that's my point. Google making this error was a newsworthy event, and the mere fact Google implemented it caused Nate Lawson to review the code and find it. You have none of those benefits. You're going to make the same error, and nobody's going to find it until it matters that you've not made it.

Compared to all that, comparing two HMACs seems relatively straightforward.

What's the context of "usually" here ?

I am asking for examples of the above. I don't understand how you arrived at "usually".

What I am not so sure is the choice of CTR. I currently prefer CFB.

PS: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation makes it clear.