Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am developing a symmetric en-/decryption routine written in c# for a database

ID: 650616 • Letter: I

Question

I am developing a symmetric en-/decryption routine written in c# for a database containing user-specific, sensitive information.

I have narrowed down the implementation to 3 different approaches, but simply cannot determine which is the "best". So, which of these is the most secure?

1) AES in GCM mode. Using either BouncyCastle or CLR Security implementation. For those who don't know, GCM mode utilizes CTR mode with a provided counter (not sure of the exact implementation) and an additional message authentication process (definitely not HMAC)

2) AES in CTR mode. Using Bouncy or CLR security again. In this instance I would use the .net HMAC and utilize a 16 byte IV randomly generated (securely) as the unique nonce.

3) AES in CBC mode. Using the .NET implementation. Again the HMAC from .net and rand IV.

The simpler the better cause I'll probably mess it up

Thanks a bunch

Explanation / Answer

GCM mode is best, as it can not be attacked using padding oracle attacks, which are much more common than commonly thought. It is also the only one providing integrity protection, something that is certainly much overlooked.

Make really sure your NONCE is random though, or use one that is uniquely defined (even in time) within the database.

SquareRootOfTwentyThree makes a valid objection to say that the comparision should have been between GCM mode and symmetric ciphers + HMAC. There are several reasons why I would favor GCM mode over HMAC:

This is opinionated as all can be made secure.

The last point about the HMAC check sounds obvious, but see what happened to XML encryption in WS-security where in most implementations the signature validation could be switched off, leading to padding oracle attacks. Creating a protocol that simply performs GCM mode has less points of failure.

Note that the drawback regarding the NONCE mentioned by CodesInChaos is a valid one. Unfortunately any of these algorithms is affected if the IV or NONCE is not used correctly.

GCM is started to be used by updates of several protocols (TLS, XML encryption) and has been approved by NIST.

Related Questions

I am currently working on a research paper on the labor supply effects of a mini
Question #1116376
I am currently working on a service which lets users store client-side encrypted
Question #654082
I am currently working on a small project in which I work with some \"static dat
Question #646294
I am currently working on a statistic research. My topic is why are houses so ex
Question #3230610
I am currently working on an application with regard to applying a security poli
Question #655563
I am currently working on an assignment following a lab previously completed. I
Question #3757942
I am currently working on an assignment for my Java class. It requires us to cha
Question #3557396
I am currently working on an exam review paper for the test in two days. I haven
Question #1240459

Navigate

Previous
I am developing a software in which I am using AES for encrypting messages share
Next
I am developing a telephony call model and thinking about how best to design the

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.