ECB, CBC, CTR, CFB, and OFB are all "XORable", although if you're pointing out that CTR ciphertexts that share a keystream can be XOR'd to decrypt streams, that's a valid point, and one that a MAC (of any type) doesn't solve.
You're so far better off not trying to implement any of this stuff that it's almost not worth studying. PGP at rest, TLS in motion. Spend your time and heartache on something that will make you money, not something that will get you laughed at by asshole pentesters.
There's the problem with keystream reuse, yes, and also the problem shared to some degree by CBC and OFB (but not ECB) that's at its worst in CTR — that you can flip single bits in the plaintext by flipping arbitrary bits in the ciphertext. (But of course that's why you use a correctly-implemented MAC, right?)
I concur with you that new cryptographic protocols are likely to be flawed, and your recent blog post on that subject was excellent reading.
Yes, I suppose that's a unique implementation risk for CTR and in that case Kragen's concerns about XOR are valid as well since you've got a stream cipher with a short period.
I was more thinking about how the cipher input has a predictable structure, in particular every pair of adjacent blocks differ by only a single fixed bit. This isn't an issue unless the underlying block cipher is badly broken, but it still feels unnecessarily risky.
OFB has the same problem with IV reuse, but because CTR divides the IV into a nonce and a counter, it basically begs you to make the error by giving you two opportunities to make it.
Attackers get to arbitrarily change the ciphertext, and can watch the recipient carefully to see how it reacts to different altered ciphertexts. With a bad AES implementation, things like timing differences can leak key bits.
That's not much of a problem with CTR mode --- CTR encrypts keystream, and XORs your data, so your data doesn't actually influence AES state much --- but it's a potential problem with CBC-MAC or OMAC, which do feed your data through AES.
The issue is that the fastest MACs use AES themselves, usually with the same key as was used to encrypt. CBC-MAC, OMAC, GCM, Poly1305-AES, all generate a MAC block (128 bytes, which you can truncate to whatever) in part using AES with your encrypting key.
It feels to me like Colin has a legitimate point --- side channel key extraction would be pretty hard if you had to do it from HMAC instead of with AES --- but that the person who actually came up with a side-channel exploit in a real-world OMAC (EAX) system would get famous over it.
The person who breaks your hand-hacked CTR+HMAC code, which will inevitably contain flaws because it will get no real review... that person doesn't get famous. Her win was entirely predictable.
The issue isn't that EAX is easier to implement than CTR+HMAC. EAX is actually harder to implement than CTR+HMAC.
The issue is that someone will have already written EAX for you, because EAX is a NIST standard that is used in actual fielded systems. There is no NIST standard AE construction (that I know of; I'm not an expert) that combines CTR and HMAC. You'll have to implement it yourself.
My "actual citation of a Rivest student coding for Google making the HMAC error" argument has a THAC0 of 5, and your "yes, but" argument has a THAC0 of 15. You might win this debate, but I doubt it.
Colin points out (rightly, in the narrow scope he drew) that Google could have made the same error with CBC-MAC or OMAC; they'd still be comparing bytes directly, not doing the safe XOR comparison.
But Colin is making my point for me. Because if you used EAX or CCM, you wouldn't be implementing that compare for yourself; it'd be taken care for you by the block cipher mode, which would yield either a plaintext or a failure.
Yes, the library designer could make that mistake too; after all, Google did! But again, that's my point. Google making this error was a newsworthy event, and the mere fact Google implemented it caused Nate Lawson to review the code and find it. You have none of those benefits. You're going to make the same error, and nobody's going to find it until it matters that you've not made it.
Okay, but using an encryption library doesn't guarantee your code is free of mistakes either. Just initiating a generic cryptography library requires a certain amount of specialised knowledge. You have to get the right mode, create a secure key, know how to correctly use an IV or whatever additional parameters the particular encryption algorithm needs.
Compared to all that, comparing two HMACs seems relatively straightforward.
I don't see how having a design goal to allow for a key reuse explains the "usually" part of "fastest MACs use AES themselves, usually with the same key as was used to encrypt". What you listed was the list of MACs that, from my experience, are meant to be used with their own key. That's what I asked about - where did you see them used sharing the key with an encryption cycle ?
I'm not sure if we're splitting hairs or just talking past each other, but can we figure out why it is we care about the world "usually" versus "sometimes" or whatever it is you think is the correct modifier? What's the meta-issue here?
