[Ach] on algorithmic agility

ianG iang at iang.org
Tue Dec 3 14:20:05 CET 2013

On 3/12/13 00:32 AM, Adi Kriegisch wrote:
> Hi!
>> I do not recommend algorithmic agility.  It rarely if ever has led to
>> some sort of benefit out in userland, and it sets you up for disasters
>> of compatibility later on.
>> http://iang.org/ssl/h1_the_one_true_cipher_suite.html
>> If you stick to AES128 and AES256 then there is no reason to believe
>> there will be a problem.  It's not a popularity contest.
> We had a short discussion about this topic in today's meeting and came to
> the conclusion that we want to suggest the usage of different ciphers:
> at least AES and CAMELLIA at the moment (128 and 256bit).

Somewhat after the decision, I know, and fighting a lost battle, but 
here's what DJB said in March, at FSE in his keynote "Failures of 
secret-key cryptography"

   “Cryptographic algorithm agility”:
   (1) the pretense that bad crypto is okay if there’s a backup plan +
   (2) the pretense that there is in fact a backup plan.

   SSL has a crypto switch that in theory allows switching to AES-GCM. 
But most SSL software doesn’t support AES-GCM.

   The software does support one non-CBC option: RC4. Now widely 
recommended, used for 50% of SSL traffic.

after which, he then proceeds to roundly trash RC4 as a favoured 


(For amusement and giggles, in slide 2, he takes aim at what I and 
Gutmann pronounced in 2011 ...)


More information about the Ach mailing list