On Tue, 31 Dec 2013, James Cloos wrote: > >>>>> "DM" == Damien Miller <djm at mindrot.org> writes: > > DM> Lots of cryptographers also think that AES-GCM is fiendishly difficult > DM> to get right, especially wrt timing leaks. That, and it's relative > DM> newness in OpenSSH are the reasons it is not the default. > > Indeed, I should have added a paragraph about that. > > My understanding is that the consensus is that openssl has fixed the > early bugs in its implementation and gcm therefore is safe enough to > promote. Evidence? openssl/crypto/modes/gcm128.c is full of array operations that look decidedly non-constant time to me. -d
