[Ach] EDH/ECDH, AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE
ianG
iang at iang.org
Fri Nov 6 02:12:16 CET 2015
On 4/11/2015 09:58 am, Terje Elde wrote:
> Or to try to sum it up, if you support both (Camellia only at end of list), then:
>
> If neither cipher nor implementations has a problem, you’re fine.
> If AES has a problem, you’ll fall back to Camellia if either server or client disables AES.
> If Camellia has a problem, you’re fine, because you’ll use AES.
> If both has a problem, you’re still better off, because either your or browsers can steer things towards the “least broken”.
>
> While a complete break of AES is unlikely, it doesn’t hurt to retain options, esp. if you also consider risk of non-cryptographic attacks, such as key-leakage due to implementation-errors, or other similar issues.
>
> To me, this seems like an obviously Good Thing. Am I missing something?
Yep. If there is a complete break in AES, then it is more than likely
that every other cipher we know has been trashed as well. A complete
break in AES means that everything we knew about ciphers from 2000 and
before has just been thrown out - EVERYTHING. Which means Camellia
looks bad too.
Remember 2004? Every hash was under a cloud for a while and they rushed
out a SHA3 contest.
The chances of a break is like 0.000000000000001%. Anyone doing maths
on those numbers needs to remember that (a) bayesian maths is a pig and
(b) the code is far tricker, non-provable and the chance of the code
having a break in it is like 0.001%.
Which is the risk you should be looking at? The code. How do you
simplify the code? Drop every other cipher. Drop the selection.
Completely and utterly.
>> As nobody can predict future the chance to do it wrong is equal regardless how you decide.
Well, actually we can predict the future. AES will not be broken.
There, done.
Think I'm wrong? Remember, DES was never broken. SHA1 is not broken.
Good algorithms have never been broken. Unlike investing in banks, the
past track record of cryptographic algorithms *is a good predictor of
the future*.
> I suppose about half my point is that that’s not the case.
>
> With both, you’re no worse off than with AES-only. With only AES, you’ve tossed away an option to mitigate issues, and not gained anything significant by doing it.
Yes you have gained code & user simplification. That's actually a
measurable improvement. A multiple algorithm isn't a measurable
improvement because we've never ever seen a benefit.
iang
More information about the Ach
mailing list