0

Given that CBC mode encryption is vulnerable to padding oracle attacks, what is the next best alternative ?

a) Include a hash check in the API scheme, validate the hash and then proceed with CBC. If hash check fails then return error indicating same. Eg: Include HMACSHA256(AES256(plaintext)) checksum that is required to be validated as part of message.

b) Implement a custom CBC mode that include a hmac/equivalent checksum at the end of each encryption block (on the lines of padding). Eg: Create own scheme on the lines of - "AES/CBC/PKCS5Padding/HMACSHA256". Are there any plans drafted by NIST / W3C to incorporate such a scheme?

c) Switch to GCM mode encryption. How does it compare to CBC in terms of cryptographic strength?

Ravindra HV
  • 204
  • 6
  • 14

1 Answers1

3

GCM is a very good alternative, it provides built in message authentication, so encrypted messages can not be manipulated by an attacker.

The encryption itself is based on CTR mode which is well understood and is secure when used correctly.

Main thing to notice is the severity of nonce reuse, reusing a counter value with the same key is catastrophic, be sure you use GCM correctly and you will be fine.

Meir Maor
  • 12,053
  • 1
  • 24
  • 55