Re: AES-256 vs. AES-128

2015-11-25 Thread Reed Loden
Other recommended reading when discussing this:

https://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-and-128-bit-versions

https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

https://www.reddit.com/r/crypto/comments/39211m/is_really_aes256_less_secure_than_aes128/

https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/
"Are 256-bit keys less secure than 128-bit keys?"

~reed

On Wed, Nov 25, 2015 at 2:01 PM, April King  wrote:

> My colleague Julien Vehent and I are in the process of updating the
> Mozilla Server Side TLS documentation:
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> One of the topics of conversation was whether or not the Modern TLS
> configuration should prefer AES-256 over AES-128.  Recently, there has been
> some doubt cast over the security of AES-128, between posts by security
> researchers like djb, as well as the recent decision by the NSA to
> recommend AES-256 over AES-128, due to its increased resistance against
> quantum cryptography:
>
> http://blog.cr.yp.to/20151120-batchattacks.html
> https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
>
> The general consensus was to bring the conversation to the dev.tech.crypto
> group prior to updating the standards either way.  There hasn't been any
> claim that AES-128 is actually broken, but the idea behind the Modern
> guidelines is to stay ahead of the cryptographic research curve.  One thing
> to keep in mind is that the Modern guidelines are intended for modern
> systems that don't require any kind of backwards compatibility or
> necessarily need to be friendly towards old, underpowered systems (such
> older smartphones).
>
> For reference, this is the current state of preference order for the four
> major browser manufacturers:
> Firefox: AES-128-GCM > AES-256-CBC > AES-256-CBC (doesn't include
> AES-256-GCM in list of cipher suites)
> Chrome: AES-128-GCM > AES-256-CBC > AES-128-CBC (also does not request
> AES-256-GCM)
> Safari: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
> Edge: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
>
> Proposal for Modern:
> AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
>
> If the general agreement is to move Modern to AES-256, it may also be
> worthwhile considering whether or when we move that recommendation down to
> the Intermediate level, which is intended for general purpose websites that
> don't have a need for backwards compatibility with very old clients (such
> as IE6/Win XP SP2).
>
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


AES-256 vs. AES-128

2015-11-25 Thread April King
My colleague Julien Vehent and I are in the process of updating the 
Mozilla Server Side TLS documentation:


https://wiki.mozilla.org/Security/Server_Side_TLS

One of the topics of conversation was whether or not the Modern TLS 
configuration should prefer AES-256 over AES-128.  Recently, there has 
been some doubt cast over the security of AES-128, between posts by 
security researchers like djb, as well as the recent decision by the 
NSA to recommend AES-256 over AES-128, due to its increased resistance 
against quantum cryptography:


http://blog.cr.yp.to/20151120-batchattacks.html
https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

The general consensus was to bring the conversation to the 
dev.tech.crypto group prior to updating the standards either way.  
There hasn't been any claim that AES-128 is actually broken, but the 
idea behind the Modern guidelines is to stay ahead of the cryptographic 
research curve.  One thing to keep in mind is that the Modern 
guidelines are intended for modern systems that don't require any kind 
of backwards compatibility or necessarily need to be friendly towards 
old, underpowered systems (such older smartphones).


For reference, this is the current state of preference order for the 
four major browser manufacturers:
Firefox: AES-128-GCM > AES-256-CBC > AES-256-CBC (doesn't include 
AES-256-GCM in list of cipher suites)
Chrome: AES-128-GCM > AES-256-CBC > AES-128-CBC (also does not request 
AES-256-GCM)

Safari: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC
Edge: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC

Proposal for Modern:
AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC

If the general agreement is to move Modern to AES-256, it may also be 
worthwhile considering whether or when we move that recommendation down 
to the Intermediate level, which is intended for general purpose 
websites that don't have a need for backwards compatibility with very 
old clients (such as IE6/Win XP SP2).


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto