TLS 1.3 currently has AES-256-GCM and ChaCha20-Poly1305 as 256-bit ciphers. AES-CCM ciphers are more oriented towards an IOT niche where CCM is implemented for lower layer protocols. I'm not sure if there are implementations of AES-256-CCM or AES-256-CCM_8 in use.
Joe On Fri, Feb 24, 2017 at 7:12 AM, William Whyte <wwh...@onboardsecurity.com> wrote: > Right. I fee l strongly that it'd be wise to bless a single 256-bit cipher > as part of the core TLS 1.3 family of techniques, but I don't feel strongly > that it should be AES-256. ChaCha? > > Cheers, > > William > > On Fri, Feb 24, 2017 at 9:55 AM, Salz, Rich <rs...@akamai.com> wrote: > >> > There's an argument that it's worth building in a 256-bit cipher for >> quantum resistance. Not clear that AES-256 is the best 256-bit cipher >> though. >> >> Yes, I get that. >> >> "not clear" is a highly uncompelling argument, tho. >> > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
