Add and enable AES CCM ciphers #271
Conversation
|
Would you show the document that says CCM is stronger than GCM? |
|
I don't think there is. But 256 is stronger than 128, isn't it? |
|
Oh. I didn't notice the bit sizes. Probably you are right. BTW, do you know why GCM is used instead of CCM in the main stream such as HTTP/2? |
|
CCM needs two AES operations per block, so is twice slower. |
|
@ocheron Thank you for the explanation! I did not know it. |
|
Ping @vdukhovni |
|
Given the performance impact, I'm reluctant to say that CCM is sufficiently stronger over GCM to justify the preference. But I am not a cryptographer. This question is better for the cryptography list: http://www.metzdowd.com/mailman/listinfo/cryptography |
|
See also: https://tools.ietf.org/html/draft-ietf-tls-iana-registry-updates-04#section-9 |
|
A more focused forum for such a question may be the TLS working group. |
|
our current of implementation of GCM is not sufficiently optimised, so it's even possible that 2 block encryption are currenlty faster than 1 block encryption + 1 GFmul. |
|
👍 nice addition and thanks for keeping track of haskell-ci/travis stuff too ! |
|
Any appetite for removing CCM8? I think it is not recommended for TLS. |
|
I included CCM8 mainly because there is a cipher defined in the TLS 1.3 draft. |
@vdukhovni Any references which suggest that CCM8 is not recommended for TLS? |
No reason to hold this any longer now that cryptonite-0.25 is in lts.
@vdukhovni Can you look if I got the order of ciphersuites right?
Basically in ciphersuite_strong I priorize AES256CCM over AES128GCM for security reason.
In ciphersuite_default, order is reversed for performance reason.
CCM8 is only in ciphersuite_all because I don't believe it's often used. It's only half of an AEAD.