Intent to Ship: AES_256_GCM in TLS.

60 views
Skip to first unread message

David Benjamin

unread,
Mar 2, 2016, 5:48:03 PM3/2/16
to blink-dev, net-dev, security-dev, a...@chromium.org

Contact emails

davi...@chromium.org


Spec

https://tools.ietf.org/html/rfc5246

Summary

We will be offering AES_256_GCM in TLS connections.


Motivation

Historically, TLS had two AES ciphers based on CBC mode, AES_128_CBC and AES_256_CBC. But TLS’s CBC mode construction was flawed, making it fragile and very difficult to implement securely (for the current taxonomy, see BEAST, Lucky Thirteen, and POODLE). TLS 1.2 added new AES-based ciphers, AES_128_GCM and AES_256_GCM, whose constructions do not have this problem.


When we originally implemented TLS 1.2 in NSS, we only added AES_128_GCM and not AES_256_GCM. AES_256_GCM requires a SHA-384 PRF which NSS did not support. We also did not consider AES_256_GCM to be worth the performance cost.


Unfortunately, many popular server implementations order ciphers numerically first, placing AES_256_CBC above AES_128_GCM. Those servers will select the obsolete AES_256_CBC when connecting to Chromium-based browsers, rather than our preferred AES_128_GCM.


We do not agree with this ordering, but we propose to add AES_256_GCM so that these servers will select a modern cipher with Chromium-based browsers. This should also simplify TLS configurations for administrators concerned with maximizing key sizes. We expect this to increase our usage of AES-GCM over the legacy CBC-mode ciphers.


For servers that use the client-provided ordering, we will be inserting AES_256_GCM below AES_128_GCM for now. However, as always, servers are free to assert their own ordering should they wish to use AES_256_GCM over AES_128_GCM.


Interoperability and Compatibility Risk

Negligible. This is a mature specification and AES_256_GCM is advertised by the recent versions of Edge and Safari.


Ongoing technical constraints

Negligible. Now that we are using BoringSSL, we can freely use ciphers that need a SHA-384 PRF.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.


OWP launch tracking bug
https://crbug.com/591516


Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5659196699705344


Requesting approval to ship?

Yes.

Chris Harrelson

unread,
Mar 2, 2016, 5:59:05 PM3/2/16
to David Benjamin, blink-dev, net-dev, security-dev, a...@chromium.org
LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Philip Jägenstedt

unread,
Mar 3, 2016, 1:27:36 AM3/3/16
to Chris Harrelson, David Benjamin, blink-dev, net-dev, security-dev, a...@chromium.org
LGTM2

Rick Byers

unread,
Mar 3, 2016, 7:14:46 AM3/3/16
to Philip Jägenstedt, David Benjamin, Chris Harrelson, a...@chromium.org, security-dev, net-dev, blink-dev

LGTM3

Reply all
Reply to author
Forward
0 new messages