[Ach] Camellia
Jeff Hodges
jeff at somethingsimilar.com
Sun Jan 5 22:40:38 CET 2014
Camellia and AES are roughly equivalent in strength and equivalent in
difficulty to make constant time[1]. However, AES has had significant
investment to build constant-time implementations culminating with AES-NI,
now a standard feature on server CPUs. Camellia has not had such
far-reaching work done for its implementations. Finally, most major web
services do not prefer Camellia, and the number of uses of it is growing
smaller[2].
Because of that, putting Camellia in the cipher string is bad for interop,
and bad for security, especially as a first preference. Removing
it completely, since there are other cipher suites of equivalent strength
and better support, would be best.
[1] The use of S-boxes are what does them in, as they make timing attacks
against processor caches possible.
[2] Firefox, it seems, is one of the last major users and they are
dropping it behind the AES ciphers soon in 27. Their developers
expect Camellia to drop off the map afterwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140105/5c863c91/attachment.html>
More information about the Ach
mailing list