On 09/11/2013 12:54 PM, Alan Braggins wrote:
On 10/09/13 15:58, james hughes wrote:
On Sep 9, 2013, at 9:10 PM, Tony Arcieri <[email protected]
<mailto:[email protected]>> wrote:
On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie <[email protected]
<mailto:[email protected]>> wrote:
And the brief summary is: there's only one ciphersuite left that's
good, and unfortunately its only available in TLS 1.2:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
A lot of people don't like GCM either ;)
Yes, GCM does have implementation sensitivities particularly around the
IV generation. That being said, the algorithm is better than most and
the implementation sensitivity obvious (don't ever reuse an IV).
I think the difficulty of getting a fast constant time implementation on
platforms without AES-NI type hardware support are more of a concern.
Is this any different from plain old AES-CBC?
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
