[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Nico Williams
nico at cryptonector.com
Tue Dec 16 18:23:36 UTC 2014
On Tue, Dec 16, 2014 at 01:04:17PM -0500, Salz, Rich wrote:
> > Subtracting (in local configuration) algorithms from a keyword denoting all
> > known-strong algorithms is hand-tuning, but not fragile hand-tuning.
>
> Three years ago RC4 was known-strong. Two years ago DES-CBC was
> known-strong. Now we only have AES-GCM. At what point do we think
> ChaCha/Poly is known-strong, and who gets to make that call? Dan?
> Adam?
Changing the internal relative strength weighings of these requires
pushing out new code. Something that... happens all the time.
I'm not against local configuration of these things as, say, a temporary
override while waiting for patches. The configuration needs to be
simple and not fragile.
Subtracting from named sets of algorithms and sorting by desired
attributes (speed, strength), is a non-fragile way to specify
administrative preferences.
Assiging numeric algorithm strength in a config file is fragile but
acceptable for emergencies.
> Who said "these are known-strong" and when did they say it, and are
> they still correct? And where and how does a system admin find those
> things out.
This is why I'm advising against exposing any sort of numeric algorithm
strength assessments to _applications_: once those are baked in in the
application they can't be changed.
I realize that there was no proposal to do so. However, any time
numeric algorithm strength assessments are discussed is also a good time
to warn others to avoid the SASL SSF mistake.
Nico
--
More information about the openssl-dev
mailing list