Cipher preference
Damien Miller
djm at mindrot.org
Wed Jan 1 09:37:34 EST 2014
On Tue, 31 Dec 2013, James Cloos wrote:
> >>>>> "DM" == Damien Miller <djm at mindrot.org> writes:
>
> DM> Lots of cryptographers also think that AES-GCM is fiendishly difficult
> DM> to get right, especially wrt timing leaks. That, and it's relative
> DM> newness in OpenSSH are the reasons it is not the default.
>
> Indeed, I should have added a paragraph about that.
>
> My understanding is that the consensus is that openssl has fixed the
> early bugs in its implementation and gcm therefore is safe enough to
> promote.
Evidence? openssl/crypto/modes/gcm128.c is full of array operations
that look decidedly non-constant time to me.
-d
More information about the openssh-unix-dev
mailing list