IETF Logo Mail Archive

Re: [TLS] Comparative cipher suite strengths

Robert Relyea <rrelyea@redhat.com> Fri, 24 April 2009 18:32 UTC

Return-Path: <rrelyea@redhat.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC6143A6A24 for <tls@core3.amsl.com>; Fri, 24 Apr 2009 11:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jv----eU1H9x for <tls@core3.amsl.com>; Fri, 24 Apr 2009 11:32:24 -0700 (PDT)
Received: from mx2.redhat.com (mx2.redhat.com [66.187.237.31]) by core3.amsl.com (Postfix) with ESMTP id C58B63A67E7 for <tls@ietf.org>; Fri, 24 Apr 2009 11:32:24 -0700 (PDT)
Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n3OIXh4a005106 for <tls@ietf.org>; Fri, 24 Apr 2009 14:33:43 -0400
Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n3OIXg1L003990 for <tls@ietf.org>; Fri, 24 Apr 2009 14:33:42 -0400
Received: from [10.14.54.218] (dhcp-218.sjc.redhat.com [10.14.54.218]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n3OIXfKl003482 for <tls@ietf.org>; Fri, 24 Apr 2009 14:33:41 -0400
Message-ID: <49F20606.8040606@REDHAT.COM>
Date: Fri, 24 Apr 2009 11:33:42 -0700
From: Robert Relyea <rrelyea@redhat.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
To: tls@ietf.org
References: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz>
In-Reply-To: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms050205000807000001030107"
X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2009 18:32:25 -0000

Peter Gutmann wrote:
> carlyoung@keycomm.co.uk writes:
>
>   
>> Therefore, in my mind, they are getting a false sense of security from using
>> AES-256 as the underlying strength of the whole TLS session is determined by
>> the weakest point - in this case the 1024 bit RSA keys, which NIST state to
>> be equivalent to "80-bits" [when compared to a symmetric cipher I guess].
>>     
>
> They're not getting any sense of security at all.  They initially wanted a
> cipher with 128-bit encryption, because everyone knows that you have to have
> 128 bits to be Good.  AES encryption has the required 128 thingies, so they
> went with that.
>
> Then someone pointed out that there's a version of AES with 256 thingies
> instead of 128, and if 128 is Good then 256 must be even Gooder.  So the
> requirement was changed to use AES with 256 thingies.
>
> If there was an AES with 397 thingies they'd go with that instead, because
> it's obvious that that one's ever Gooderer than the one with 256 thingies.
>   
So there is a method behind the AES-256 bit madness, and can see it in 
the cipher suites that NIST specifies.

As Carl has found (and most on this list is familiar with), NIST has 
standardized it's 'strength' specification in terms of symmetric key 
algorithm, which is why he matched AES-256 with a 15K bit RSA key.

NIST also defines strengths for various security levels. 128 bits is the 
minimum for Secret, 192 is the minimum for Top Secret. These numbers are 
both chosen to be more than known foreign governments and agencies are 
likely to be able to crack (presumably including a generous safety factor).

In addition to security levels, NIST also defines a set of cipher suites 
for these levels:

Secret: AES-128, ECC-256 prime, SHA-256
Top Secret: AES-256, ECC 384 prime, SHA-384

Note that AES-256 has a bigger key than required.  NIST specified 
AES-256 because it was already the same speed as AES-192. I don't know 
why they didn't specify SHA-512 over SHA-384 (which has the same 
characteristics).

The upshot is even NIST, using top secret doesn't need 256 bits. It's 
just the easiest way to meet their 192 bit requirement. Also not that 
AES-128 is considered sufficient for the US government to encode  Secret 
information. For practical and commercial use, it's still overkill. 80- 
100 bits is still sufficient for now (though moving toward 100 bits is 
probably prudent).

So you need to go back to your customer and find out what their real key 
strength need is. If your customer needs 192 bits, you probably want to 
move toward ECC ciphers (If you customer's AES-256 is coming from a NIST 
Suite-B requirement, then you'll need to move there anyway). Otherwise 
you are looking at a 7K bit RSA key to meet that requirement.

If you aren't talking to a Suite-B customer, then the info you are 
getting from this list is probably correct "AES-256 sounds strong, might 
as well go there" ignoring the fact that even at AES-128 your weak link 
is RSA (unless you use a 3K key).

bob

v2.23.0 | Report a Bug | By Email