This is a lot of text responding to some pretty simple facts. The only value judgement I've made here is that you might want to look up who people are before you decide to tell them they're spreading false statements (that's with respect to Colm, not me; you can say whatever you'd like about me.)
The rest of it is just: here are things I think you might want to know. Read them again: none of them say you're a bad person. They're just statements of fact.
GCM is "more secure" than CBC because it's authenticated (technically, authenticated with additional authenticated data). CBC is not authenticated; it's malleable, so you can violate integrity and, with CCAs like Vaudenay's oracle, confidentiality as well.
You can separately authenticate CBC with a MAC (usually HMAC); that's the "generic composition" of CBC and HMAC. Generic composition is generally believed to be secure in the encrypt-then-MAC construction, but, as we're seeing with TLS here, not the other way around.
In neither a generic ETM CBC+HMAC nor in GCM should control of any plaintext anywhere in the message allow you to violate cryptographic integrity or confidentiality. But CBC+HMAC != CBC, bringing us back around to our point here.
Padding oracles don't really exploit PKCS7 pading itself so much as they exploit the decryption process of CBC, coupled with the ability to choose ciphertexts (again, a capability GCM takes away from you).
> This is a lot of text responding to some pretty simple facts. The only value judgement I've made here is that you might want to look up who people are before you decide to tell them they're spreading false statements (that's with respect to Colm, not me; you can say whatever you'd like about me.)
You are correct that I was wrong with what my statements were, but I don't care if it's Jonathan Katz who's spreading misinformation, if I believe someone is spreading misinformation I'm going to call them out on it. I was WRONG this time (again have to admit that?), but am trying to address the original question. Half of that "large text" was new information that you've distracted the topic away from.
And you've done it yet again, changed the topic.
My offtopic sub-point here is that you are taking large quantities of information out of context for no reason other than to change the subject away from actual information search.
> But CBC+HMAC != CBC
Here's what Colm said:
> I know that I'm going to be thought a heretical fool for saying this, but overall I would consider CBC mode "more secure" than GCM.
OMG he said CBC mode (NOT CBC-HMAC!) is "more secure" than GCM! Go call him out on that one sentence taken out of context!
Obviously we are talking about CBC-HMAC because that's the topic. Colm started it on that topic, and if you look at his entire post, the context makes that clear. If you instead focused on the fact that I'm talking in the same context, you wouldn't get off on a tangent that somehow I think that Colm believes CBC mode without an HMAC is somehow more secure (he doesn't, obviously). You are creating a strawman for no reason. You are right, you aren't attacking me. You are conducting half of a strawman argument. You've created a strawman, and just left it there. It's weird. It changes the topic. It serves no purpose except to derail the conversation.
Colm is arguing that CBC with a MAC is more secure than GCM, but if you take the strict way you are interpreting my statements, you would not believe that because you are applying a double standard to me. Colm apparently is allowed to make contextual statements but I am not.
Again, back to the original topic I'm trying to figure out why the encryption experts believe the opposite, which he also says is the overwhelming majority of opinion, and why we are even conversing in the first place. I doubt I can keep this on topic anymore because you keep drifting it off for quite literally no reason.
Screw it. I'm going back to reading the book. I will not share my findings with you because you have already ignored my other findings and theories and it will just fall on deaf ears.
[...]spreading misinformation, if I believe someone is spreading misinformation I'm going to call them out on it. I was WRONG this time (again have to admit that?)
Maybe you're bringing something to the conversation that isn't inherently there? Someone could be just wrong without trying to 'spread misinformation' and cowering in fear of your implacable fist of callout justice. Similarly, someone could just be pointing out you're wrong without a diabolical plan to force you into some embarrassing public recanting and ruin your reputation.
I am lost. What is your complaint at this point? You went on HN, participated in a thread, and now know more about cryptography than you did this morning. You're welcome? :)
The rest of it is just: here are things I think you might want to know. Read them again: none of them say you're a bad person. They're just statements of fact.
GCM is "more secure" than CBC because it's authenticated (technically, authenticated with additional authenticated data). CBC is not authenticated; it's malleable, so you can violate integrity and, with CCAs like Vaudenay's oracle, confidentiality as well.
You can separately authenticate CBC with a MAC (usually HMAC); that's the "generic composition" of CBC and HMAC. Generic composition is generally believed to be secure in the encrypt-then-MAC construction, but, as we're seeing with TLS here, not the other way around.
In neither a generic ETM CBC+HMAC nor in GCM should control of any plaintext anywhere in the message allow you to violate cryptographic integrity or confidentiality. But CBC+HMAC != CBC, bringing us back around to our point here.
Padding oracles don't really exploit PKCS7 pading itself so much as they exploit the decryption process of CBC, coupled with the ability to choose ciphertexts (again, a capability GCM takes away from you).