[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 16 17:17:01 UTC 2014
On Tue, Dec 16, 2014 at 05:11:34PM +0100, Hubert Kario wrote:
> there are few issues still
> - aRSA preferred before aECDSA
> - AES256 before AES128 in general
> - few export grade ciphers placed before secure ciphers
> - 3DES is placed arbitrarily
>
> I'd prefer not only change the order, but also say what was the intent and
> what is the preferred ordering (which keys are used for ordering), so that
> when new ciphers come, it will be more or less obvious where they should be
> placed
In particular there MUST NOT be any fragile hand-tuning. All
ordering needs to be based on general principles.
One might for example say that any CBC cipher at 128+ bits gets a
baseline sorting strength of 128 bits. One might then apply either
"@STRENGTH" or "@SPEED" (new), the first of which adds "1" to any
CBC cipher whose key is longer than 128-bits, the second to those
that are equal to "128" bits.
With AES AEAD the baseline could be "129", with similar "STRENGTH"
vs. "SPEED" boosts. Which would ensure that AEAD at 128 beats CBC at 256.
However, where do we fit ChaCha20/Poly-1305? Again, not hand-placement,
but some extensible algorithm.
--
Viktor.
More information about the openssl-dev
mailing list