[Ach] Camellia

Jeff Hodges jeff at somethingsimilar.com
Sun Jan 5 22:40:38 CET 2014

Camellia and AES are roughly equivalent in strength and equivalent in
difficulty to make constant time[1]. However, AES has had significant
investment to build constant-time implementations culminating with AES-NI,
now a standard feature on server CPUs. Camellia has not had such
far-reaching work done for its implementations. Finally, most major web
services do not prefer Camellia, and the number of uses of it is growing

Because of that, putting Camellia in the cipher string is bad for interop,
and bad for security, especially as a first preference. Removing
it completely, since there are other cipher suites of equivalent strength
and better support, would be best.

[1] The use of S-boxes are what does them in, as they make timing attacks
against processor caches possible.
[2]  Firefox, it seems, is one of the last major users and they are
dropping it behind the AES ciphers soon in 27. Their developers
expect Camellia to drop off the map afterwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140105/5c863c91/attachment.html>

More information about the Ach mailing list