On 10/4/13 9:48 PM, Jeffrey Goldberg wrote:
The AES “failure” in TLS is a CBC padding failure. Any block cipher would have “failed” in exactly the same way.
Yes, I know. My second point, about needing a stream cipher other than RC4, is what's applicable to the current "BEAST vs RC4" dilemma. My point with block ciphers was more hypothetical. As far as we know, AES is good, but some day it might turn out not to be, and even now, there is the concern that the AES-256 key schedule is not as good as it could be. My point was just that if you are going to have multiple block ciphers, you should have some diversity, and be able to explain the rationale for why you picked each one. (i. e. "This one was for speed, that one was for security margin.") But TLS seems to have opted for the logic that "if one 128-bit block cipher is good, four 128-bit block ciphers are better." Perhaps Camellia is a good back-up to AES; I don't know. But I'm not aware of it having been presented as "has a higher security margin" or something like that, the way Serpent could have been presented. It was just "here's another one." And then we got SEED and ARIA piling on after that. (Or maybe SEED was before Camellia; I don't remember, and it doesn't really matter.)
Yes, CBC mode has been an issue in a lot of the recent attacks against TLS. So, block cipher modes are another axis for diversity. A lot of folks seem to be putting a lot of eggs in the GCM basket lately. Maybe that's okay, but I know some concerns have been raised about the complexity of implementing GCM, and the potential for side-channel attacks. Maybe we need EAX as a backup in case GCM doesn't turn out to be as great as it was supposed to be. Again, I'm not *specifically* saying we need a Serpent-EAX cipher suite or something like that. I'm just saying that, in general, this is the kind of thinking that should be going on: how can we add cipher suites that add diversity, rather than just "me too?"
--Patrick _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
