[Ach] EDH/ECDH, AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

ianG iang at iang.org
Fri Nov 6 02:12:16 CET 2015

On 4/11/2015 09:58 am, Terje Elde wrote:
> Or to try to sum it up, if you support both (Camellia only at end of list), then:
> If neither cipher nor implementations has a problem, you’re fine.
> If AES has a problem, you’ll fall back to Camellia if either server or client disables AES.
> If Camellia has a problem, you’re fine, because you’ll use AES.
> If both has a problem, you’re still better off, because either your or browsers can steer things towards the “least broken”.
> While a complete break of AES is unlikely, it doesn’t hurt to retain options, esp. if you also consider risk of non-cryptographic attacks, such as key-leakage due to implementation-errors, or other similar issues.
> To me, this seems like an obviously Good Thing.  Am I missing something?

Yep.  If there is a complete break in AES, then it is more than likely 
that every other cipher we know has been trashed as well.  A complete 
break in AES means that everything we knew about ciphers from 2000 and 
before has just been thrown out - EVERYTHING.  Which means Camellia 
looks bad too.

Remember 2004?  Every hash was under a cloud for a while and they rushed 
out a SHA3 contest.

The chances of a break is like 0.000000000000001%.  Anyone doing maths 
on those numbers needs to remember that (a) bayesian maths is a pig and 
(b) the code is far tricker, non-provable and the chance of the code 
having a break in it is like 0.001%.

Which is the risk you should be looking at?  The code.  How do you 
simplify the code?  Drop every other cipher.  Drop the selection. 
Completely and utterly.

>> As nobody can predict future the chance to do it wrong is equal regardless how you decide.

Well, actually we can predict the future.  AES will not be broken. 
There, done.

Think I'm wrong?  Remember, DES was never broken.  SHA1 is not broken. 
Good algorithms have never been broken.  Unlike investing in banks, the 
past track record of cryptographic algorithms *is a good predictor of 
the future*.

> I suppose about half my point is that that’s not the case.
> With both, you’re no worse off than with AES-only.  With only AES, you’ve tossed away an option to mitigate issues, and not gained anything significant by doing it.

Yes you have gained code & user simplification.  That's actually a 
measurable improvement.  A multiple algorithm isn't a measurable 
improvement because we've never ever seen a benefit.


More information about the Ach mailing list