[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE
Aaron Zauner
azet at azet.org
Mon Nov 9 14:46:00 CET 2015
Terje Elde wrote:
> Possibly, not probably. Depends on the leak really. For timing-attacks for example, susceptibility would depend not only on the algorithm, but the specific implementation of it.
Sure. I wasn't really thinking about timing attacks but rather emission
security, differential power analysis etc. - for timing attacks modern
implementations have constant time code for most ciphers (especially
well audited for AES and it's various block-cipher modes). Can't say the
same thing for other ciphers, some are intentionally constant-time (e.g.
ChaCha20/Poly1305).
Take OpenSSL for example; while you'll regularly see performance and
security improvements with their optimized assembly, you won't see a lot
of change w.r.t. CAMELLIA:
3-5 year old code (1.0.1p branch):
https://github.com/openssl/openssl/tree/OpenSSL_1_0_1p/crypto/camellia/asm
last updated a year ago (1.0.1p branch):
https://github.com/openssl/openssl/tree/OpenSSL_1_0_1p/crypto/aes/asm
You might also notice the lacking platform support for non-x86.
>
> If there’s ever an attack against hardware-implementations in a CPU (AESNI, similar from AMD etc), it’s very unlikely that it’d affect anything but AES, especially given that it’s typically the only symmetric block cipher that’s catered for.
>
That would likely affect GCM in general. More details on AESNI:
https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151109/8c9769e5/attachment.sig>
More information about the Ach
mailing list