> Same here.  AES is, as far as we know, pretty secure, so any problems are
> going to arise in how AES is used.  AES-CBC wrapped in HMAC is about as solid
> as you can get.  AES-GCM is a design or coding accident waiting to happen.

But for right now, what options do we have that are actually implemented

Take SSL. CBC mode has come under pressure for SSL (CRIME, BEAST, etc.),
and I don't see any move towards TLS > 1.0.

RC4 was good enough for a while, but with djb's new work - it's just
waiting to be improved and made practical by someone. FWIW, we still use
RC4 on our servers, but I'd be happy to see something else that is

Of course, the above attacks are probably not one of your worries when
you're up against the NSA - your own system is probably much more

The cryptography mailing list

Reply via email to