Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are you arguing that AES-CBC + HMAC is NOT a sound construction, or are you just augmenting my comment with more information?


I'm not sure.

I think I'm saying that a "formally proven sound" construction that is full of poorly understood traps for the implementer on actual machines is not always the best choice in practice.


Absurdly intelligent and well-informed crypto people have screwed up CTR mode before.


Yep. I think we can go farther than that and say that it's been historically screwed up by protocol designers and/or implementers more often than not (with predictable IVs, timing and length oracles, MAC-then-encrypt, etc)




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: