Re: [TLS] Comparative cipher suite strengths
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 23 April 2009 07:04 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8483028C68B for <tls@core3.amsl.com>; Thu, 23 Apr 2009 00:04:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.03
X-Spam-Level:
X-Spam-Status: No, score=-6.03 tagged_above=-999 required=5 tests=[AWL=0.569, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OT35vx1lj8z4 for <tls@core3.amsl.com>; Thu, 23 Apr 2009 00:04:56 -0700 (PDT)
Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by core3.amsl.com (Postfix) with ESMTP id A63883A6D9E for <tls@ietf.org>; Thu, 23 Apr 2009 00:04:56 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id C258F1BF2E; Thu, 23 Apr 2009 19:06:13 +1200 (NZST)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOXynwAU7CE7; Thu, 23 Apr 2009 19:06:13 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 70A0D1BE81; Thu, 23 Apr 2009 19:06:11 +1200 (NZST)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id CDF59E0808A; Thu, 23 Apr 2009 19:06:10 +1200 (NZST)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1Lwt0c-0006jy-La; Thu, 23 Apr 2009 19:06:10 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: carlyoung@keycomm.co.uk
In-Reply-To: <51912.1240398992@keycomm.co.uk>
Message-Id: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz>
Sender: pgut001 <pgut001@cs.auckland.ac.nz>
Date: Thu, 23 Apr 2009 19:06:10 +1200
Cc: tls@ietf.org
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2009 07:04:57 -0000
carlyoung@keycomm.co.uk writes: >Therefore, in my mind, they are getting a false sense of security from using >AES-256 as the underlying strength of the whole TLS session is determined by >the weakest point - in this case the 1024 bit RSA keys, which NIST state to >be equivalent to "80-bits" [when compared to a symmetric cipher I guess]. They're not getting any sense of security at all. They initially wanted a cipher with 128-bit encryption, because everyone knows that you have to have 128 bits to be Good. AES encryption has the required 128 thingies, so they went with that. Then someone pointed out that there's a version of AES with 256 thingies instead of 128, and if 128 is Good then 256 must be even Gooder. So the requirement was changed to use AES with 256 thingies. If there was an AES with 397 thingies they'd go with that instead, because it's obvious that that one's ever Gooderer than the one with 256 thingies. >So, I would want to recommend to the customer that if they want a more secure >TLS session, They don't want a more secure TLS session, they want bigger numbers after their algorithm name. So the optimal approach here would be to write a draft for a new TLS cipher suite using the McEliece cryptosystem, because then you can use numbers bigger than anyone else. Peter.
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- [TLS] Comparative cipher suite strengths Carl Young
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Simon Josefsson
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Michael.G.Williams
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Michael D'Errico
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Florian Weimer
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Vipul Gupta
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Robert Relyea
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Bill Frantz
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Jeffrey A. Williams
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin