http://stackoverflow.com/questions/10378066/which-algorithm-is-stronger-for-tls-aes-256-or-camellia-256
which says:
The reasoning is contained in the NSS library source code and is somewhat
convoluted, but it has nothing to do with security. It has to do with a
desire to support
Bodo Moeller bmoel...@acm.org writes:
If you wonder why NSS would prefer Camellia over AES (I sure did), here's the
rationale. (Not a very good one, in my opinion -- if servers in certain
countries are expected to have a strong preference for certain ciphersuites,
those servers should override
On Feb 18, 2013, at 5:43 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Bodo Moeller bmoel...@acm.org writes:
If you wonder why NSS would prefer Camellia over AES (I sure did), here's the
rationale. (Not a very good one, in my opinion -- if servers in certain
countries are expected to
On 18/02/13 18:49 PM, Paul Hoffman wrote:
On Feb 18, 2013, at 5:43 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Bodo Moeller bmoel...@acm.org writes:
If you wonder why NSS would prefer Camellia over AES (I sure did), here's the
rationale. (Not a very good one, in my opinion -- if
I wrote:
Those are some pretty odd stats... Camellia is almost as popular as 3DES?
To which Yaron Sheffer pointed me to:
http://stackoverflow.com/questions/10378066/which-algorithm-is-stronger-for-tls-aes-256-or-camellia-256
which says:
The reasoning is contained in the NSS library source
On 16/02/13 16:19 PM, Peter Gutmann wrote:
I wrote:
Those are some pretty odd stats... Camellia is almost as popular as 3DES?
To which Yaron Sheffer pointed me to:
http://stackoverflow.com/questions/10378066/which-algorithm-is-stronger-for-tls-aes-256-or-camellia-256
which says:
The
On Wed, Feb 13, 2013 at 12:52 PM, Peter Gutmann
pgut...@cs.auckland.ac.nzwrote:
active use of ECC suites on the public Internet is practically nonexistent
That's not entirely accurate; try www.google.com.
Bodo
___
cryptography mailing list
[Bodo Moeller bmoel...@acm.org (2013-02-13 14:26:56 UTC)]
On Wed, Feb 13, 2013 at 12:52 PM, Peter Gutmann
pgut...@cs.auckland.ac.nzwrote:
active use of ECC suites on the public Internet is practically nonexistent
That's not entirely accurate; try www.google.com.
I didn't know that.
On Feb 13, 2013, at 3:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
Bodo Moeller bmoel...@acm.org writes:
On Wed, Feb 13, 2013 at 12:52 PM, Peter Gutmann
pgut...@cs.auckland.ac.nzwrote:
active use of ECC suites on the public Internet is practically nonexistent
That's not
Those are some pretty odd stats... Camellia is almost as popular as 3DES?
Well, it is what we see :).
And all in all Camellia is even more popular than 3DES in our data set (there
are some more less popular cipher suites for both 3DES and Camellia).
It is pretty close though.
Bernhard
Nico Williams n...@cryptonector.com writes:
SSHv2 has a this approach and it has not been a disaster there.
It's still quite a mess. To compare the two, my TLS suite-choosing code is
more or less:
highestSuite = 0;
foreach suite
suite = readInteger();
if priority( suite )
Hi Peter,
On 11 Feb 2013, at 22:45, Peter Gutmann wrote:
Ralph Holz h...@net.in.tum.de writes:
From what I can tell from our data, the most common symmetric ciphers in SSH
are proposed by client/servers to be used in CBC mode. With SSL/TLS and
XMLEnc, this mode has had quite some
Jeff,
There have been attacks on SSH based on the fact that portions of the packets
aren't authenticated, and as soon as the TLS folks stop bikeshedding and
adopt
encrypt-then-MAC I'm going to propose the same thing for SSH, it's such a
no-brainer it should have been adopted years ago
Nico Williams n...@cryptonector.com writes:
If we want a policy of limiting what cipher suites we allocate codepoints to
then we should have an *explicit* policy, and we should not wimp out when it
comes time to enforcing it.
It'll never work, people will clamour for their pet vanity ciphers no
Paterson, Kenny kenny.pater...@rhul.ac.uk writes:
In fact, SSHv2 adopts a Encrypt MAC construction and all fields in SSHv2
are authenticated. But the issue is that this authentication cannot be
checked until the whole message has arrived, and the receiver has to use a
field in the plaintext to
On 12/02/13 03:04 AM, Peter Gutmann wrote:
Nico Williams n...@cryptonector.com writes:
I'd go further: this could be the start of the end of the cipher suite
cartesian product nonsense in TLS. Just negotiate {cipher, mode} and key
exchange separately, or possibly cipher, mode, and key
Hi,
From what I can tell from our data, the most common symmetric ciphers in
SSH are proposed by client/servers to be used in CBC mode. With SSL/TLS
and XMLEnc, this mode has had quite some publicity in the recent past.
I was wondering to which degree the attacks that were possible on SSL
with
Ralph Holz h...@net.in.tum.de writes:
From what I can tell from our data, the most common symmetric ciphers in SSH
are proposed by client/servers to be used in CBC mode. With SSL/TLS and
XMLEnc, this mode has had quite some publicity in the recent past.
There have been attacks on SSH based on
On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
There have been attacks on SSH based on the fact that portions of the packets
aren't authenticated, and as soon as the TLS folks stop bikeshedding and adopt
encrypt-then-MAC I'm going to propose the same thing for
Nico Williams n...@cryptonector.com writes:
On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann pgut...@cs.auckland.ac.nz
wrote:
There have been attacks on SSH based on the fact that portions of the packets
aren't authenticated, and as soon as the TLS folks stop bikeshedding and
adopt
On Mon, Feb 11, 2013 at 5:45 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ralph Holz h...@net.in.tum.de writes:
From what I can tell from our data, the most common symmetric ciphers in SSH
are proposed by client/servers to be used in CBC mode. With SSL/TLS and
XMLEnc, this mode has had
On Mon, Feb 11, 2013 at 4:57 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Nico Williams n...@cryptonector.com writes:
On Mon, Feb 11, 2013 at 4:45 PM, Peter Gutmann pgut...@cs.auckland.ac.nz
wrote:
There have been attacks on SSH based on the fact that portions of the
packets
aren't
Jeffrey Walton noloa...@gmail.com writes:
I know its nothing new here. I'm just befuddled why standardized protocols
written in stone by bright folks (IETF, IEEE, et al) continue to suffer
defects that I don't make/endure (because I listen to cryptographers like
you).
Well, I'm not really a
Nico Williams n...@cryptonector.com writes:
I'd go further: this could be the start of the end of the cipher suite
cartesian product nonsense in TLS. Just negotiate {cipher, mode} and key
exchange separately, or possibly cipher, mode, and key exchange, in just the
same way as you propose
On Mon, Feb 11, 2013 at 6:04 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Nico Williams n...@cryptonector.com writes:
I'd go further: this could be the start of the end of the cipher suite
cartesian product nonsense in TLS. Just negotiate {cipher, mode} and key
exchange separately, or
On 02/12/2013 12:04 AM, Peter Gutmann wrote:
The problem with the cipher-suite explosion is that people want to throw in
vast numbers of pointless vanity suites and algorithms that no-one will ever
use
On balance I think the ciphersuite approach is slightly better
at being a slight counter
On Mon, Feb 11, 2013 at 6:23 PM, Stephen Farrell
stephen.farr...@cs.tcd.ie wrote:
On 02/12/2013 12:04 AM, Peter Gutmann wrote:
The problem with the cipher-suite explosion is that people want to throw in
vast numbers of pointless vanity suites and algorithms that no-one will ever
use
On
On 02/12/2013 12:42 AM, Nico Williams wrote:
On Mon, Feb 11, 2013 at 6:23 PM, Stephen Farrell
stephen.farr...@cs.tcd.ie wrote:
On 02/12/2013 12:04 AM, Peter Gutmann wrote:
The problem with the cipher-suite explosion is that people want to throw in
vast numbers of pointless vanity suites and
On Mon, Feb 11, 2013 at 7:00 PM, Stephen Farrell
stephen.farr...@cs.tcd.ie wrote:
On 02/12/2013 12:42 AM, Nico Williams wrote:
On Mon, Feb 11, 2013 at 6:23 PM, Stephen Farrell
stephen.farr...@cs.tcd.ie wrote:
But I suspect that that was not the rationale way, way back when, back
when
On Mon, Feb 11, 2013 at 6:20 PM, Peter Gutmann pgut...@cs.auckland.ac.nzwrote:
snip
... I don't understand the resistance either, in the case
of TLS it's such a trivial change (in my case it was two lines of code
added
and two lines swapped, alongside hundreds of lines of ad-hockery
30 matches
Mail list logo