On Mon, May 18, 2015 at 6:58 PM, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > Stephan Mueller <smueller@xxxxxxxxxx> wrote: >> >> I hear more and more discussions about recommendations to use AES 256 and not >> AES 128. Or perhaps other ciphers with 256-bit keys. Salsa, ChaCha and several of the Caesar candidates support those. >> These kind of recommendations will eventually also affect the entropy >> requirements for noise sources. This is my motivation for the patch: allowing >> different user groups to set the minimum bar for the nonblocking pool to >> *higher* levels (the examples for 80 to 112 bits or 100 to 125 bits shall just >> show that there are active revisions of entropy requirements). > > Does anyone need to raise this from 128 today? If not then this > patch is pointless. There is an RFC for ChaCha in IETF protocols https://www.rfc-editor.org/rfc/rfc7539.txt That RFC is new, issued this month, so it will probably be a while before we need to worry about it. I do think finding a way to support changing the init requirement from 128 to 256 bits will be useful at some point. However, I doubt it is urgent since few protocols need it now. On the other hand, IPsec and TLS both include AES-256, I think. When we do do it, I see no reason to support anything other than 128 and 256, and I am not sure about retaining 128. Nor do I see any reason this should be a command-line option rather than just a compile-time constant. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
