'Columbia University Libraries/Information Services'
Doi
Abstract
Modes that may be appropriate and secure in one application or environment sometimes fail badly in others. This is especially true of stream modes where, e.g., re-use of the same segment of keystream to protect different plaintext renders the cipher insecure. The circumstances that can render a mode insecure are not always obvious, nor are the relevant characteristics of a particular application always apparent. Application and protocol designers, even those with experience and training in cryptography, cannot be expected to always identify accurately the requirements that must be met for a mode to be used securely or the conditions that apply to the application at hand. We strongly urge that, for each adopted mode, the standard include a clear statement of the requirements and assumptions that must be met in order for the mode to be used securely and what security properties the mode can be assumed to have and not have. Furthermore, we urge that detailed examples of acceptable and unacceptable application for each mode be provided as well. In this draft, we discuss some of the security properties, and pitfalls, of several proposed stream modes, and we note several ways in which these modes would be difficult to use securely in the context of Internet Network-, Transport- and Application-layer protocols
