undefined | Better HN

0 pointsprophesi6y ago0 comments

> Is ECB any worse than any other deterministic encryption?

Yes, it's objectively worse than literally any other AES mode. You wouldn't need to depend on compression to protect your data.

0 comments

cvwright6y ago

Note that I was asking specifically about deterministic modes. Those include SIV mode [1] but not the more common CBC, CTR, etc.

Any deterministic encryption relies on entropy of the plaintext for security [2]. This is not unique to ECB.

My objection was to the hyperbolic phrase "trivially broken." SIV mode is deterministic, but nobody who understands what it does would call it "trivially broken."

And I'm definitely not saying that anyone should use ECB. Just that in this case, the vulnerability may not live up to the hype.

By all means, go ahead bashing on Zoom. It's the cool thing to do these days, and clearly they've done enough to deserve most of it.

[1] https://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf

[2] https://eprint.iacr.org/2006/186

prophesiOP6y ago

I'm personally more upset that they're advertising 256bit AES yet using 128bit AES. Sure, 128bit is still fine to use today, but it's still false advertising. They're already falsely claiming end-to-end encryption. It doesn't help that they're using the weakest mode of AES on top of all of this.

If Zoom had a security audit, the auditors would quickly suggest using either some sort of ECB-based algorithm that uses an SIV, or just AES-CTR. I'm guessing they went with ECB due to its parallelization of the encryption/decryption process, which totally makes sense, except that there are much more secure algorithms out there.

cvwright6y ago

Yeah you have to wonder: Did they just not know about counter mode? The implications of that are frightening.

j / k navigate · click thread line to collapse

0 comments

cvwright6y ago

Note that I was asking specifically about deterministic modes. Those include SIV mode [1] but not the more common CBC, CTR, etc.

Any deterministic encryption relies on entropy of the plaintext for security [2]. This is not unique to ECB.

My objection was to the hyperbolic phrase "trivially broken." SIV mode is deterministic, but nobody who understands what it does would call it "trivially broken."

And I'm definitely not saying that anyone should use ECB. Just that in this case, the vulnerability may not live up to the hype.

By all means, go ahead bashing on Zoom. It's the cool thing to do these days, and clearly they've done enough to deserve most of it.

[1] https://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf

[2] https://eprint.iacr.org/2006/186

prophesiOP6y ago

cvwright6y ago

Yeah you have to wonder: Did they just not know about counter mode? The implications of that are frightening.

j / k navigate · click thread line to collapse