tarcieri
commented
3 years ago I'd suggest at least the following are safe to recommend:
aes-gcmaes-gcm-sivaes-sivchacha20poly1305eax
I don't think there are any algorithms implemented in this repo we should actively recommend people avoid, however some specific thoughts on why not to recommend certain algorithms:
ccm: obsoleted by eax
I don't think we should actively recommend against CCM as it is popular in the embedded space. However I think there were a number of bad decisions made in the design of CCM which are addressed by EAX. Some of those include:
- The length of the plaintext message and AAD need to be known in advance
- AAD is MAC'd last rather than first, which together with the above issue complicates online/streaming encryption
- AES-CCM uses needlessly complex message framing with variable-length length tags
xsalsa20poly1305: obsoleted by chacha20poly1305
- The ChaCha(20) stream cipher family provides better per-round diffusion than the Salsa20 family.
- ChaCha20 is a full AEAD algorithm, whereas XSalsa20Poly1305 does not support AAD.
- ChaCha20Poly1305 is specified in RFC 8439. XSalsa20Poly1305 has no associated RFC.
- The XChaCha20Poly1305 construction provides the same extended nonce benefits as XSalsa20Poly1305.
newpavlov
Following up from https://github.com/RustCrypto/meta/issues/10, this is an issue for discussion potentially adding "recommended" badges to certain algorithms in this repo: