Other recommended reading when discussing this: https://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-and-128-bit-versions
https://www.schneier.com/blog/archives/2009/07/another_new_aes.html https://www.reddit.com/r/crypto/comments/39211m/is_really_aes256_less_secure_than_aes128/ https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/ "Are 256-bit keys less secure than 128-bit keys?" ~reed On Wed, Nov 25, 2015 at 2:01 PM, April King <[email protected]> wrote: > My colleague Julien Vehent and I are in the process of updating the > Mozilla Server Side TLS documentation: > > https://wiki.mozilla.org/Security/Server_Side_TLS > > One of the topics of conversation was whether or not the Modern TLS > configuration should prefer AES-256 over AES-128. Recently, there has been > some doubt cast over the security of AES-128, between posts by security > researchers like djb, as well as the recent decision by the NSA to > recommend AES-256 over AES-128, due to its increased resistance against > quantum cryptography: > > http://blog.cr.yp.to/20151120-batchattacks.html > https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml > > The general consensus was to bring the conversation to the dev.tech.crypto > group prior to updating the standards either way. There hasn't been any > claim that AES-128 is actually broken, but the idea behind the Modern > guidelines is to stay ahead of the cryptographic research curve. One thing > to keep in mind is that the Modern guidelines are intended for modern > systems that don't require any kind of backwards compatibility or > necessarily need to be friendly towards old, underpowered systems (such > older smartphones). > > For reference, this is the current state of preference order for the four > major browser manufacturers: > Firefox: AES-128-GCM > AES-256-CBC > AES-256-CBC (doesn't include > AES-256-GCM in list of cipher suites) > Chrome: AES-128-GCM > AES-256-CBC > AES-128-CBC (also does not request > AES-256-GCM) > Safari: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC > Edge: AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC > > Proposal for Modern: > AES-256-GCM > AES-128-GCM > AES-256-CBC > AES-128-CBC > > If the general agreement is to move Modern to AES-256, it may also be > worthwhile considering whether or when we move that recommendation down to > the Intermediate level, which is intended for general purpose websites that > don't have a need for backwards compatibility with very old clients (such > as IE6/Win XP SP2). > > -- > dev-tech-crypto mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
