1248345 - AES in GCM mode is only available with ECC based PFS

Status: RESOLVED DUPLICATE of bug 1029179

(Core :: Security: PSM, defect)

Description

[bjoern]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160209233610

Steps to reproduce:

in bug #1029179 it was alreadly discussed to enable AES in GCM with DHE and not only with ECDHE.

One important point was missing in that discussion: Today's ECC cryptography will be weak as soon as quantum computers will become usable and they are making more and more progress. Actually the public won't know how much progress it made in some labs.

See also

https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Quantum_computing_attacks

and this cite from https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

--snip--
Until this new (quantum computing save cipher) suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms. For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition
--

Sites which want to be sure that their ecrypted traffic will not be decypherable due to progress of quantum computing in the next years will disable eliptic curves and use DHE and not ECDHE for PFS.

Also have in mind thatdue to Grover's algorithm with quantum computing the keylength of symetic keys will be effectively divided by 2, so AES256 is advisable.

For those reason Firefox should also offer something like TLS_DHE_RSA_WITH_AES_256_GCM_SHA256.

Comment 1

[Masatoshi Kimura [:emk]]

Quantum computers can also break RSA and FFDH in polynomial time. They do not help much even if they are a bit less weak than EC.
Please do not file a duplicate bug intentionally.