Julien Vehent <jul...@linuxwall.info> wrote: > The original thread [1] had a long discussion on this topic. The DJB batch > attack redefines the landscape, but does not address the original concerns > around AES-256 resistance. To me, the main question is to verify whether > AES-256 implementations are at least as resistant as AES-128 ones, in which > case the doubled key size provides a net benefit, and preferring it is a > no-brainer. > > [1] > http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html
The discussion above was biased in favor of what was best for FirefoxOS and FxAndroid. That discussion also didn't account for the emergence of ChaCha20-Poly1305. I believe it makes more sense for the server to prefer 256-bit cipher suites than when I wrote in the discussion above, but ChaCha20-Poly1305 needs to be taken into consideration to account for ARM clients. And unfortunately most software (OpenSSL in particular) isn't ready for ChaCha20-Poly1305 yet. It may be useful to compare the processing cost of AES-128, AES-256, and gzip/deflate when making your case. In particular, if you are compressing every response then the difference between AES-128 and AES-256 probably doesn't matter much to you. Regarding the batch attack mentioned by DJB, make sure you understand how it does and does not apply to TLS. See [1] and [2] and note how client_write_IV/server_write_IV are used. [1] https://www.ietf.org/mail-archive/web/tls/current/msg15573.html [2] https://www.ietf.org/mail-archive/web/tls/current/msg16088.html Cheers, Brian -- https://briansmith.org/ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
