"Encrypting data: Use AES in CTR (Counter) mode, and append an HMAC."

Google search: "cryptography answers" :-)

[cryptography answers] gives me:

* Hottest 'cryptography' answers [stackoverflow.com]

* Hottest 'cryptography' answers [bitcoin.stackexchange.com]

* 'cryptography' Answers By New Users [bitcoin.stackexchange.com]

* CISSP Exam Cram, Second Edition [safaribooksonline.com]

* CEH® Certified Ethical Hacker Study Guide [safaribooksonline.com]

* CISSP Rapid Review [safaribooksonline.com]

I think you wanted to suggest searching for [cryptographic right answers]. But of course, nobody will search for that.

Looks like Google is reordering results for us. When I'm logged in, daemonology.net is the first result I get for [cryptography answers]; when I'm incognito, it's 3rd, after two crypto.stackexchange.com pages.

Sadly, not sure that would have helped. Aes ctr is vulnerable to the exact same reused key vuln. Picking the wrong stream cipher isn't the problem.

Picking the wrong stream cipher isn't the problem, but it is a problem. RC4: Just Say No.

Does it have advice for selecting an IV?

CTR mode doesn't have IVs. It has a counter: Start at zero and count upwards.

Depending on if the key may be reused having a non-zero nonce may be a good idea too...

---

And I just realised who I am replying too, off course you know this.

I was being a bit facetious in discriminating between "IV" and "nonce"... they're almost two sides of the same coin.

And don't overflow.

If you need to send more than 2^68 bytes of data, you've got bigger problems than your crypto breaking.

You're assuming a correct implementation with a 64-bit counter, though.

Yes. I'm also assuming people have correct implementations of AES.

I have never exploited an incorrect implementation of an AES core in a real application, but have exploited "broken" counters.