[Ach] on algorithmic agility
ianG
iang at iang.org
Tue Dec 3 14:20:05 CET 2013
On 3/12/13 00:32 AM, Adi Kriegisch wrote:
> Hi!
>
>> I do not recommend algorithmic agility. It rarely if ever has led to
>> some sort of benefit out in userland, and it sets you up for disasters
>> of compatibility later on.
>>
>> http://iang.org/ssl/h1_the_one_true_cipher_suite.html
>>
>> If you stick to AES128 and AES256 then there is no reason to believe
>> there will be a problem. It's not a popularity contest.
> We had a short discussion about this topic in today's meeting and came to
> the conclusion that we want to suggest the usage of different ciphers:
> at least AES and CAMELLIA at the moment (128 and 256bit).
Somewhat after the decision, I know, and fighting a lost battle, but
here's what DJB said in March, at FSE in his keynote "Failures of
secret-key cryptography"
“Cryptographic algorithm agility”:
(1) the pretense that bad crypto is okay if there’s a backup plan +
(2) the pretense that there is in fact a backup plan.
SSL has a crypto switch that in theory allows switching to AES-GCM.
But most SSL software doesn’t support AES-GCM.
The software does support one non-CBC option: RC4. Now widely
recommended, used for 50% of SSL traffic.
after which, he then proceeds to roundly trash RC4 as a favoured
algorithm...
http://cr.yp.to/talks/2013.03.12/slides.pdf
(For amusement and giggles, in slide 2, he takes aim at what I and
Gutmann pronounced in 2011 ...)
iang
More information about the Ach
mailing list