Julien Vehent <jul...@linuxwall.info> wrote:

> The original thread [1] had a long discussion on this topic. The DJB batch
> attack redefines the landscape, but does not address the original concerns
> around AES-256 resistance. To me, the main question is to verify whether
> AES-256 implementations are at least as resistant as AES-128 ones, in which
> case the doubled key size provides a net benefit, and preferring it is a
> no-brainer.
> [1]
> http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html

The discussion above was biased in favor of what was best for FirefoxOS and

That discussion also didn't account for the emergence of ChaCha20-Poly1305.
I believe it makes more sense for the server to prefer 256-bit cipher
suites than when I wrote in the discussion above, but ChaCha20-Poly1305
needs to be taken into consideration to account for ARM clients. And
unfortunately most software (OpenSSL in particular) isn't ready for
ChaCha20-Poly1305 yet.

It may be useful to compare the processing cost of AES-128, AES-256, and
gzip/deflate when making your case. In particular, if you are compressing
every response then the difference between AES-128 and AES-256 probably
doesn't matter much to you.

Regarding the batch attack mentioned by DJB, make sure you understand how
it does and does not apply to TLS. See [1] and [2] and note how
client_write_IV/server_write_IV are used.

[1] https://www.ietf.org/mail-archive/web/tls/current/msg15573.html
[2] https://www.ietf.org/mail-archive/web/tls/current/msg16088.html

dev-tech-crypto mailing list

Reply via email to