Other recommended reading when discussing this:

https://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-and-128-bit-versions

https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

https://www.reddit.com/r/crypto/comments/39211m/is_really_aes256_less_secure_than_aes128/

https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/
"Are 256-bit keys less secure than 128-bit keys?"

~reed

On Wed, Nov 25, 2015 at 2:01 PM, April King <ap...@mozilla.com> wrote:

> My colleague Julien Vehent and I are in the process of updating the
> Mozilla Server Side TLS documentation:
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> One of the topics of conversation was whether or not the Modern TLS
> configuration should prefer AES-256 over AES-128.  Recently, there has been
> some doubt cast over the security of AES-128, between posts by security
> researchers like djb, as well as the recent decision by the NSA to
> recommend AES-256 over AES-128, due to its increased resistance against
> quantum cryptography:
>
> http://blog.cr.yp.to/20151120-batchattacks.html
> https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
>
> The general consensus was to bring the conversation to the dev.tech.crypto
> group prior to updating the standards either way.  There hasn't been any
> claim that AES-128 is actually broken, but the idea behind the Modern
> guidelines is to stay ahead of the cryptographic research curve.  One thing
> to keep in mind is that the Modern guidelines are intended for modern
> systems that don't require any kind of backwards compatibility or
> necessarily need to be friendly towards old, underpowered systems (such
> older smartphones).
>
> For reference, this is the current state of preference order for the four
> major browser manufacturers:
> Firefox: AES-128-GCM > AES-256-CBC > AES-256-CBC (doesn't include
> AES-256-GCM in list of cipher suites)
> Chrome: AES-128-GCM > AES-256-CBC > AES-128-CBC (also does not request
> AES-256-GCM)
> Safari: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
> Edge: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
>
> Proposal for Modern:
> AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
>
> If the general agreement is to move Modern to AES-256, it may also be
> worthwhile considering whether or when we move that recommendation down to
> the Intermediate level, which is intended for general purpose websites that
> don't have a need for backwards compatibility with very old clients (such
> as IE6/Win XP SP2).
>
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to