Feedback about recommended AES modes

[randomstuff]

Feedback from Bart Preneel related to AES modes (other aspects are discussed in #2495):

I am not sure that it is a good idea to separate encryption from data authentication. I would thus call this section Authenticated Encryption algorithms and say that for the encryption component you only allow AES and Chacha-20 (I would not add Salsa20).

[...]
The only AES-based authenticated encryption algorithms that can are recommended for general use are: GCM, CCM, CCM-8, OCB (OCB has been added here – make sure you use the right version).

Add a warning that AES-GCM is particularly vulnerable to a nonce reuse attack that such vulnerabilities have already been identified earlier in some libraries.

Some notes/questions:

• CCM-8 is listed here (see Crypto Appendix - Restrictions on CCM8 #2413), so maybe it makese sense to keep this.

• OCB is not listed. We should probably add it.

• CBC is not mentioned in this feedback but is currently approved in the document. Shall we do something about it? For what it's worth, it is still allowed by NIST / FIPS. Should we list it are "approved but discouraged / legacy" ? (see Appendix Crypto - Allowed mechanisms and requirement levels #2398 (comment))

• Shall we explicitly talk about nonce reuse in AES-GCM somewhere ? We already have:

  [MODIFIED, MOVED FROM 6.2.6, LEVEL L2 > L3] Verify that nonces, initialization vectors, and other single-use numbers are not used for more than one encryption key/data-element pair. The method of generation must be appropriate for the algorithm being used.

[tghosth]

OCB seems to have licensing issues. For the others, I defer to Daniel :)

[randomstuff]

OCB seems to have licensing issues.

Apparently, this is not an issue anymore. https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/

[randomstuff]

OCB v3 is RFC7253. The previous version have vulnerabilities.

[tghosth]

ok cool so @danielcuthbert @unprovable any comments on this?