Re: TLS considering an rc4-die-die-die draft

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: TLS considering an rc4-die-die-die draft
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Sun, 13 Apr 2014 19:10:56 +0200

Damien Miller <djm%mindrot.org@localhost> writes:

> OpenSSH will turn RC4 off soon - we're just trying to figure out how
> to do it gently enough that working configurations don't suddenly break
> yet firmly enough that people actually move to a better cipher.

What breakage do you expect? Servers configured to support no other
cipher than arcfour, probably from some (possibly misguided) performance
argument?

> We'll be recommending chacha20-poly1305%openssh.com@localhost as a replacment
> where both ends upport it.

If I have understood correctly, openssh uses the original definition of
chacha with 64-bits each for nonce and counter, while recent ietf drafts
specify a 96-bit nonce and only 32 bits for the counter. Is that right?
I think support for chacha-poly1305 is highly desirable, but it seems a
bit messy with specifications still in flux.

Best regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Follow-Ups:
- Re: TLS considering an rc4-die-die-die draft
  - From: Damien Miller

References:
- TLS considering an rc4-die-die-die draft
  - From: Stephen Farrell
- Re: TLS considering an rc4-die-die-die draft
  - From: Damien Miller

Prev by Date: Re: Protocol ambiguity: want_reply vs CHANNEL_CLOSE
Next by Date: Re: TLS considering an rc4-die-die-die draft
Previous by Thread: Re: TLS considering an rc4-die-die-die draft
Next by Thread: Re: TLS considering an rc4-die-die-die draft
Indexes:

Home | Main Index | Thread Index | Old Index