|| at Nov 14, 2012 at 4:17 pm
On Tuesday, November 13, 2012 2:02:45 PM UTC-5, Jonathan Rudenberg wrote:
I was looking through crypto/cipher and noticed that there are no
authenticated encryption modes. Are there any Go implementations of GCM,
EAX or CCM in use?
The vast majority of symmetric encryption uses these days should really be
using authenticated encryption due to the attacks that are possible when
using a unauthenticated mode. It is possible to Encrypt-then-MAC, but this
requires the developer to implement it securely.
As already noted, the recommended authenticated encryption is NaCl, which
is implemented in go.crypto.
GCM, unfortunately, is prone to side-channel attacks when implemented in
software because it's a hardware orientated design. Support for it may
appear in the main repo at some point in order to support TLS 1.2, but it's
not a priority right now. (If it does, hopefully we can get a bitsliced
implementation and AES-NI support in order to avoid those concerns.)