[147005] in cryptography@c2.net mail archive
Re: [Cryptography] What TLS ciphersuites are still OK?
daemon@ATHENA.MIT.EDU (Alan Braggins)
Wed Sep 11 13:00:14 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Sep 2013 10:54:19 +0100
From: Alan Braggins <alan.braggins@gmail.com>
To: cryptography@metzdowd.com
In-Reply-To: <0490E93C-CF38-434F-A38B-36D0561A1D9B@mac.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/09/13 15:58, james hughes wrote:
> On Sep 9, 2013, at 9:10 PM, Tony Arcieri <bascule@gmail.com
> <mailto:bascule@gmail.com>> wrote:
>> On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie <ben@links.org
>> <mailto:ben@links.org>> wrote:
>>
>> And the brief summary is: there's only one ciphersuite left that's
>> good, and unfortunately its only available in TLS 1.2:
>>
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>
>> A lot of people don't like GCM either ;)
>
> Yes, GCM does have implementation sensitivities particularly around the
> IV generation. That being said, the algorithm is better than most and
> the implementation sensitivity obvious (don't ever reuse an IV).
I think the difficulty of getting a fast constant time implementation on
platforms without AES-NI type hardware support are more of a concern.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
