Cipher preference

Damien Miller djm at mindrot.org
Wed Jan 1 09:37:34 EST 2014


On Tue, 31 Dec 2013, James Cloos wrote:

> >>>>> "DM" == Damien Miller <djm at mindrot.org> writes:
> 
> DM> Lots of cryptographers also think that AES-GCM is fiendishly difficult
> DM> to get right, especially wrt timing leaks. That, and it's relative
> DM> newness in OpenSSH are the reasons it is not the default.
> 
> Indeed, I should have added a paragraph about that.
> 
> My understanding is that the consensus is that openssl has fixed the
> early bugs in its implementation and gcm therefore is safe enough to
> promote.

Evidence? openssl/crypto/modes/gcm128.c is full of array operations
that look decidedly non-constant time to me.

-d


More information about the openssh-unix-dev mailing list