Camellia is the only possible alternative cipher to AES in TLS. > little supported, never negotiated cipher
One of the largest websites which support Camellia is Yahoo!. Firefox 26 or lower use TLS_RSA_WITH_CAMELLIA_256_CBC_SHA with Yahoo!. > not as well-tested & reviewed as AES ciphersuits Camellia is widely reviewed and chosen as a recommended cipher by several independent committees. If CAMELLIA_CBC is dropped by security reason, AES_CBC should be also dropped. 1. NESSIE in 2003: https://www.cosic.esat.kuleuven.be/nessie/deliverables/decision-final.pdf 2. CRYPTREC in 2013: http://www.cryptrec.go.jp/english/method.html 3. ENISA in 2013: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report AES and Camellia are recommended for 128-bit block ciphers by these 3 committees. NESSIE says > The AES has been scrutinised by the U.S. National Institute of > Standards and Technology as a secure block cipher and adopted as a > U.S. Federal Information Processing Standard. Camellia has many > similarities to the AES, so much of the analysis for the AES is also > applicable to Camellia. It is also the case that the NESSIE project > did not find an attack on either the AES or Camellia. However, the > NESSIE partners, as well as the wider cryptographic community, have a > wide range of views about the AES and Camellia. Many NESSIE partners > have significant concerns that the simple algebraic structure of the > AES, and to a somewhat lesser extent Camellia, may lead to future > breakthroughs in the analysis of these block ciphers. CRYPTREC says > Camellia has been widely reviewed. > Unlike AES-192/256, related-key attack against Camellia is not reported. > Biclique attack to Camellia (with 2^128 Plaintext-Ciphertext pairs): > Camellia-128: 2^127.6, -192: 2^191.7, -256: 2^255.7 > (AES-128: 2^126.16 with 2^64 P-C pairs, 2^125.6 with 2^128 P-C pairs, > -192: 2^189.74 with 2^80 P-C pairs, -256: 2^254.42 with 2^40 P-C pairs) (roughly summarized and translated from http://cryptrec.go.jp/report/c12_sch_web.pdf) ENISA says > The Camellia block cipher is used as one of the possible cipher > suites in TLS, and unlike AES is of a Feistel cipher design. Camellia > has a block length of 128 bits and supports 3 key lengths: 128, 192 > and 256 bits. The versions with a 192- or a 256-bit key are 33% > slower than the versions with a 128-bit key. > Observation: Just as for AES there is a relatively simple set of > algebraic equations which define the Camellia transform; this might > leave it open to algebraic attacks. However, just like AES such > attacks have not been shown to be effective. > we see that only the use of Camellia and AES are recommended within > a mode such as GCM or CCM. CAMELLIA_GCM for TLS has been already determined in RFC 6367. Bug for implementation of TLS_ECDHE_*_CAMELLIA_*_GCM to libssl is open (bug 940119). -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
