Joe,
Hi,
On Tue, 18 Nov 2014, Viktor Dukhovni commented on some feedback
from me that Stephen Farrell had kindly passed along:
4.2.1 states that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SHOULD
be the first cipher proposed, and servers SHOULD prefer that
cipher whenever is proposed.
I'd prefer to see the AES_256 version recommended instead, given
that it provides a large margin of cryptographic strength.
The cryptographic margin in AES-128 is I believe quite sufficient
for best current practice. The performance benefits can lead to
greater adoption. Don't let the perfect be the enemy of the good.
To be explicit, my preference for AES-256 over AES-128 is a function of
three factors:
1) The NSA requires AES-256 in Suite B for TOP SECRET content. That
implies to me that at least under some circumstances, some smart
folks think that AES-128, even though good, just isn't good *enough*
That may reflect the fact that TOP SECRET content may need to stay
protected for fifty years (and that's a long time), or it may be
related to something else (like worries about quantum computing), but at
least for some content, we know that AES-128 isn't believed to be good
enough. See https://www.nsa.gov/IA/Programs/suiteb_cryptography/
[I'm not cleared and I'm not doing anything classified, but why not
think like an civil engineer and build in a margin of safety, eh?]
I to have been told that reason we have AES-256 is as a precaution in case
quantum computers can be built with enough Qbits to attack symmetric
ciphers like AES.
if that scenario pans out, then a 256-bit key becomes as strong as a
128-it key
(in the absence of such machines). The margin of safety you suggest
impose a
performance hit, so it's not obvious that we ought to mandate AES-256 here,
especially for software implementations. In my experience folks will
jump to the
"bigger is better" option too quickly, and the performance hit might
then cause them
to reject using encryption at all, which is not the desired outcome, right?
Steve
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
