Other recommended reading when discussing this:




"Are 256-bit keys less secure than 128-bit keys?"


On Wed, Nov 25, 2015 at 2:01 PM, April King <ap...@mozilla.com> wrote:

> My colleague Julien Vehent and I are in the process of updating the
> Mozilla Server Side TLS documentation:
> https://wiki.mozilla.org/Security/Server_Side_TLS
> One of the topics of conversation was whether or not the Modern TLS
> configuration should prefer AES-256 over AES-128.  Recently, there has been
> some doubt cast over the security of AES-128, between posts by security
> researchers like djb, as well as the recent decision by the NSA to
> recommend AES-256 over AES-128, due to its increased resistance against
> quantum cryptography:
> http://blog.cr.yp.to/20151120-batchattacks.html
> https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
> The general consensus was to bring the conversation to the dev.tech.crypto
> group prior to updating the standards either way.  There hasn't been any
> claim that AES-128 is actually broken, but the idea behind the Modern
> guidelines is to stay ahead of the cryptographic research curve.  One thing
> to keep in mind is that the Modern guidelines are intended for modern
> systems that don't require any kind of backwards compatibility or
> necessarily need to be friendly towards old, underpowered systems (such
> older smartphones).
> For reference, this is the current state of preference order for the four
> major browser manufacturers:
> Firefox: AES-128-GCM > AES-256-CBC > AES-256-CBC (doesn't include
> AES-256-GCM in list of cipher suites)
> Chrome: AES-128-GCM > AES-256-CBC > AES-128-CBC (also does not request
> AES-256-GCM)
> Safari: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
> Edge: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
> Proposal for Modern:
> AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
> If the general agreement is to move Modern to AES-256, it may also be
> worthwhile considering whether or when we move that recommendation down to
> the Intermediate level, which is intended for general purpose websites that
> don't have a need for backwards compatibility with very old clients (such
> as IE6/Win XP SP2).
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
dev-tech-crypto mailing list

Reply via email to