跳到主要内容

Module _05_defaults

rustls::manual

Module _05_defaults 

Source
展开描述

本节为 rustls 中的默认值提供书用的原因

§Rationale for defaults

§Why is AES-256 preferred over AES-128?

This 是 trade-off between:

  1. classical security level: searching a 2^128 key space is as implausible as 2^256.
  2. post-quantum security level: the difference is more meaningful, and AES-256 seems like the conservative choice.
  3. performance: AES-256 is around 40% slower than AES-128, though hardware acceleration typically narrows this gap.

此 choice is frankly quite marginal.

§Why is AES-GCM preferred over chacha20-poly1305?

Hardware support 用于 accelerating AES-GCM is widespread, 并 hardware-accelerated AES-GCM is quicker than un-accelerated chacha20-poly1305.

However, if you know your application will run on 一个 platform without that, you should definitely change 默认 order 到 prefer chacha20-poly1305: both the performance 并 the implementation security , improved. We think this 是 uncommon case.

§Why is x25519 preferred for key exchange over nistp256?

Both provide roughly the same classical security level, but x25519 has better performance 并 it’s much more likely that both peers will have good quality implementations.

§About the post-quantum-secure key exchange X25519MLKEM768

X25519MLKEM768 – 一个 hybrid1, post-quantum-secure2 key exchange 算法 – is available when using the aws-lc-rs provider.

prefer-post-quantum crate feature makes X25519MLKEM768 the highest-priority key exchange 算法. Otherwise, it is available but not highest-priority.

X25519MLKEM768 is pre-standardization, but is now widely deployed, 用于 example, by ChromeCloudflare

You may see unexpected connection failures (such as tldr.fail) – please report these 到 us

此 two components of this key exchange are well regarded: X25519 alone is already 用于 default by rustls, 并 tends 到 have higher quality implementations than other elliptic curves. ML-KEM-768 was standardized by NIST in FIPS203

MLKEM768 is available separately, but is not currently enabled 出于保守考虑。

  1. meaning: 一个 construction that runs 一个 classical 并 post-quantum key exchange, 并 uses 输出 of both together. This 是 hedge against the post-quantum half being broken. 

  2. 一个 “post-quantum-secure” 算法 is one posited 到 be invulnerable 到 attack using 一个 cryptographically-relevant quantum computer. In contrast, classical algorithms would be broken by such 一个 computer. Note that such computers do not currently exist, 并 may never exist, but current traffic could be captured now 并 attacked later.