Re: [TLS] Comparative cipher suite strengths
Robert Relyea <rrelyea@redhat.com> Fri, 24 April 2009 18:32 UTC
Return-Path: <rrelyea@redhat.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC6143A6A24 for <tls@core3.amsl.com>; Fri, 24 Apr 2009 11:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jv----eU1H9x for <tls@core3.amsl.com>; Fri, 24 Apr 2009 11:32:24 -0700 (PDT)
Received: from mx2.redhat.com (mx2.redhat.com [66.187.237.31]) by core3.amsl.com (Postfix) with ESMTP id C58B63A67E7 for <tls@ietf.org>; Fri, 24 Apr 2009 11:32:24 -0700 (PDT)
Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n3OIXh4a005106 for <tls@ietf.org>; Fri, 24 Apr 2009 14:33:43 -0400
Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n3OIXg1L003990 for <tls@ietf.org>; Fri, 24 Apr 2009 14:33:42 -0400
Received: from [10.14.54.218] (dhcp-218.sjc.redhat.com [10.14.54.218]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n3OIXfKl003482 for <tls@ietf.org>; Fri, 24 Apr 2009 14:33:41 -0400
Message-ID: <49F20606.8040606@REDHAT.COM>
Date: Fri, 24 Apr 2009 11:33:42 -0700
From: Robert Relyea <rrelyea@redhat.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
To: tls@ietf.org
References: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz>
In-Reply-To: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms050205000807000001030107"
X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2009 18:32:25 -0000
Peter Gutmann wrote: > carlyoung@keycomm.co.uk writes: > > >> Therefore, in my mind, they are getting a false sense of security from using >> AES-256 as the underlying strength of the whole TLS session is determined by >> the weakest point - in this case the 1024 bit RSA keys, which NIST state to >> be equivalent to "80-bits" [when compared to a symmetric cipher I guess]. >> > > They're not getting any sense of security at all. They initially wanted a > cipher with 128-bit encryption, because everyone knows that you have to have > 128 bits to be Good. AES encryption has the required 128 thingies, so they > went with that. > > Then someone pointed out that there's a version of AES with 256 thingies > instead of 128, and if 128 is Good then 256 must be even Gooder. So the > requirement was changed to use AES with 256 thingies. > > If there was an AES with 397 thingies they'd go with that instead, because > it's obvious that that one's ever Gooderer than the one with 256 thingies. > So there is a method behind the AES-256 bit madness, and can see it in the cipher suites that NIST specifies. As Carl has found (and most on this list is familiar with), NIST has standardized it's 'strength' specification in terms of symmetric key algorithm, which is why he matched AES-256 with a 15K bit RSA key. NIST also defines strengths for various security levels. 128 bits is the minimum for Secret, 192 is the minimum for Top Secret. These numbers are both chosen to be more than known foreign governments and agencies are likely to be able to crack (presumably including a generous safety factor). In addition to security levels, NIST also defines a set of cipher suites for these levels: Secret: AES-128, ECC-256 prime, SHA-256 Top Secret: AES-256, ECC 384 prime, SHA-384 Note that AES-256 has a bigger key than required. NIST specified AES-256 because it was already the same speed as AES-192. I don't know why they didn't specify SHA-512 over SHA-384 (which has the same characteristics). The upshot is even NIST, using top secret doesn't need 256 bits. It's just the easiest way to meet their 192 bit requirement. Also not that AES-128 is considered sufficient for the US government to encode Secret information. For practical and commercial use, it's still overkill. 80- 100 bits is still sufficient for now (though moving toward 100 bits is probably prudent). So you need to go back to your customer and find out what their real key strength need is. If your customer needs 192 bits, you probably want to move toward ECC ciphers (If you customer's AES-256 is coming from a NIST Suite-B requirement, then you'll need to move there anyway). Otherwise you are looking at a 7K bit RSA key to meet that requirement. If you aren't talking to a Suite-B customer, then the info you are getting from this list is probably correct "AES-256 sounds strong, might as well go there" ignoring the fact that even at AES-128 your weak link is RSA (unless you use a 3K key). bob
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- [TLS] Comparative cipher suite strengths Carl Young
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Simon Josefsson
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Michael.G.Williams
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Michael D'Errico
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Florian Weimer
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Vipul Gupta
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Robert Relyea
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Bill Frantz
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Jeffrey A. Williams
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin