Skip to content

Commit

Permalink
doc: remove faulty justification for 128-bit AES
Browse files Browse the repository at this point in the history
This sentence implies that AES-128 is preferred over AES-256 because
of a related-key attack from 2009. However, that attack by Alex
Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi
Shamir, while impressive, is only effective against variants of
AES-256 with a reduced number of rounds and it requires related keys.
This means that the attack is not effective against AES-256 as it is
used within TLS.

(AES-128 is still often preferred over AES-256 simply because it is
believed to be sufficiently secure and because it is faster.)

PR-URL: #42578
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  • Loading branch information
tniessen authored and juanarbol committed Apr 6, 2022
1 parent 71f4a39 commit beffed1
Showing 1 changed file with 0 additions and 4 deletions.
4 changes: 0 additions & 4 deletions doc/api/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -385,9 +385,6 @@ The default cipher suite prefers GCM ciphers for [Chrome's 'modern
cryptography' setting][] and also prefers ECDHE and DHE ciphers for perfect
forward secrecy, while offering _some_ backward compatibility.

128 bit AES is preferred over 192 and 256 bit AES in light of [specific
attacks affecting larger AES key sizes][].

Old clients that rely on insecure and deprecated RC4 or DES-based ciphers
(like Internet Explorer 6) cannot complete the handshaking process with
the default configuration. If these clients _must_ be supported, the
Expand Down Expand Up @@ -2256,4 +2253,3 @@ added: v11.4.0
[cipher list format]: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
[forward secrecy]: https://en.wikipedia.org/wiki/Perfect_forward_secrecy
[perfect forward secrecy]: #perfect-forward-secrecy
[specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

0 comments on commit beffed1

Please sign in to comment.