You previously said CTR mode nonce repetitions are “always bad” and are “game-over”. I provided a simple counterexample.
You also said that IV reuse in CBC mode can only be exploited if you setup an ECB-style attack. Also untrue.
Now you have retreated to merely claiming that CBC issues are less likely to be exploitable, but have provided absolutely zero evidence to backup that assertion. I don’t think you could really stand that up without making a bunch of assumptions about typical application data that I think are shaky.
The way to address this is not to endlessly debate the pros and cons of different confidentiality-only cipher modes. Instead, modern crypto acknowledges that none of them are CPA-secure in the case of IV reuse, and they all leak info in different ways. The best course of action is then to assume that in the worst case they are basically all terrible and design around that at higher levels: like SIV, or XChaCha, or whatever.
I didn't catch the CTR bit in your key wrap example. To be honest, when people start talking about key wrapping, I stop paying attention.
We just disagree. You have a purer take on this stuff. My personal experience, which is that of a vulnerability researcher and not that of a cryptography engineer, is that the purity test perspective is helpful for spotting patterns of vulnerability, but that's about it. It's demonstrably safer to run a CBC+HMAC authenticated secure channel than to run a GCM secure channel, and lots of people do exactly that for exactly that reason. The purity test vantage says "feh! the same bug exists in both!". The vulnerability researcher vantage says "no, all bugs are not in fact the same".
You also said that IV reuse in CBC mode can only be exploited if you setup an ECB-style attack. Also untrue.
Now you have retreated to merely claiming that CBC issues are less likely to be exploitable, but have provided absolutely zero evidence to backup that assertion. I don’t think you could really stand that up without making a bunch of assumptions about typical application data that I think are shaky.
The way to address this is not to endlessly debate the pros and cons of different confidentiality-only cipher modes. Instead, modern crypto acknowledges that none of them are CPA-secure in the case of IV reuse, and they all leak info in different ways. The best course of action is then to assume that in the worst case they are basically all terrible and design around that at higher levels: like SIV, or XChaCha, or whatever.