[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

ianG iang at iang.org
Sat Nov 14 21:33:28 CET 2015

On 9/11/2015 12:06 pm, Terje Elde wrote:
>> On 09 Nov 2015, at 12:56, Aaron Zauner <azet at azet.org> wrote:
>> There's only one chinese team working on CAMELLIA attacks as far as I
>> can tell, vs. a lot of people that work on AES attacks. As people have
>> mentioned before: a attack that will break AES will likely also break
> Reverse is also mostly (but not certainly); If AES is secure, there’s a good chance that Camellia is as well.
> The one thing that worries me with the discussion of removing Camellia, is that arguments for are almost always focused exclusively on a cryptographic/mathematic perspective.  The arguments are often true, valid and good, but they’re also narrow in scope.  I’m not worried about AES from a crypto/math-perspective, what worries me is that those arguing for Camellia-removal seem to ignore the practical aspect.  It’s *far* more likely that there’ll be an engineering-break, than a math-break.  What happens if someone finds a key-leakage issue with a hardware crypto-implementation, allowing leaking keys between XEN-instances for example?
> There seems to be an implied “the math is solid, therefor AES the algoritm is secure, therefore all uses of AES is secure”.  The first conclusion is solid, but not the second.
> I find the timing of this a bit puzzling to be honest.  It’s only this very year that we saw usage of RC4 to mitigate BEAST for example.  That is, the math-solid algoritms got shifted out by some, in favour of math-broken, because they figured the tradeoff was better.  (Lots could be said about if that was a good call or not).
> It tends not to be the crypto math that gets broken, but usage, implementations, etc.

Tends?  Absolutely guaranteed. I'm not sure there is a case in living 
memory where a known-good algorithm fell.

Yes there are cases where known-deprecated algorithms fell - MD5 and RC4 
for example, and noddy Wifi.  Even tho MD5 fell, SHA1 is still standing, 
and we've had 11 years to move off it since the shots were fired, and 
still holding on.... :)


More information about the Ach mailing list