[Ach] Proposal to change B cipher spec
Adi Kriegisch
adi at kriegisch.at
Thu Apr 3 09:31:37 CEST 2014
Hey!
> While we're at it, could we get rid of camellia as well?
>
> * no constant time implementation
I think we need to live with all those possible side channel attacks
resulting from non-constant time implementations available: up to now there
is no constant time software implementation of AES or AES-GCM in openssl,
there is a plethora of devices out there with no hardware AES support and
we can never make sure that both ends use constant time implementations.
So, actually, we need to hope that someone takes care of AES and AES-GCM
constant time implementations *soon*, but for the time being there is no
such thing as constant time in ciphers... ;-)
(At this point we should probably think about what to recommend on how to
deal with those side channels.)
> * no extensive cryptanalysis - at least not as extensive as AES
cannot judge that.
> * not actively used anywhere as far as I'm aware of
I do use it if that counts... ;-)
Ah, and to answer your original question: we probably could, although I do
not see a striking reason to do so.
> > Can we include a `!IDEA` in the cipher spec at the end please?
Absolutely! Please just commit that!
-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140403/00f70fc3/attachment.sig>
More information about the Ach
mailing list