doc: remove faulty justification for 128-bit AES

This sentence implies that AES-128 is preferred over AES-256 because of a related-key attack from 2009. However, that attack by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, while impressive, is only effective against variants of AES-256 with a reduced number of rounds and it requires related keys. This means that the attack is not effective against AES-256 as it is used within TLS. (AES-128 is still often preferred over AES-256 simply because it is believed to be sufficiently secure and because it is faster.) PR-URL: #42578 Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Mestery <[email protected]> Reviewed-By: Mohammed Keyvanzadeh <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
nodejs · Apr 4, 2022 · e158a8d · e158a8d
1 parent 73a1d22
commit e158a8d
Showing 1 changed file with 0 additions and 4 deletions.
diff --git a/doc/api/tls.md b/doc/api/tls.md
@@ -385,9 +385,6 @@ The default cipher suite prefers GCM ciphers for [Chrome's 'modern
 cryptography' setting][] and also prefers ECDHE and DHE ciphers for perfect
 forward secrecy, while offering _some_ backward compatibility.
 
-128 bit AES is preferred over 192 and 256 bit AES in light of [specific
-attacks affecting larger AES key sizes][].
-
 Old clients that rely on insecure and deprecated RC4 or DES-based ciphers
 (like Internet Explorer 6) cannot complete the handshaking process with
 the default configuration. If these clients _must_ be supported, the
@@ -2256,4 +2253,3 @@ added: v11.4.0
 [cipher list format]: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
 [forward secrecy]: https://en.wikipedia.org/wiki/Perfect_forward_secrecy
 [perfect forward secrecy]: #perfect-forward-secrecy
-[specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html