IETF Logo Mail Archive

Re: [TLS] Comparative cipher suite strengths

Vipul Gupta <Vipul.Gupta@sun.com> Fri, 24 April 2009 16:22 UTC

Return-Path: <Vipul.Gupta@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74BEB3A6CE1 for <tls@core3.amsl.com>; Fri, 24 Apr 2009 09:22:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FovxYMOt11kd for <tls@core3.amsl.com>; Fri, 24 Apr 2009 09:22:09 -0700 (PDT)
Received: from mail-mta.sunlabs.com (edge.sunlabs.com [204.153.12.50]) by core3.amsl.com (Postfix) with ESMTP id 9B2233A6C37 for <tls@ietf.org>; Fri, 24 Apr 2009 09:22:09 -0700 (PDT)
Received: from mail.sunlabs.com ([152.70.2.186]) by mail-mta.sfvic.sunlabs.com (Sun Java System Messaging Server 6.1 HotFix 0.02 (built Aug 25 2004)) with ESMTP id <0KIM005RP5J0KG10@mail-mta.sfvic.sunlabs.com> for tls@ietf.org; Fri, 24 Apr 2009 09:23:24 -0700 (PDT)
Received: from [152.70.69.170] by mail.sunlabs.com (Sun Java System Messaging Server 6.1 HotFix 0.02 (built Aug 25 2004)) with ESMTPSA id <0KIM00FFC5IZX1Q0@mail.sunlabs.com> for tls@ietf.org; Fri, 24 Apr 2009 09:23:24 -0700 (PDT)
Date: Fri, 24 Apr 2009 09:23:23 -0700
From: Vipul Gupta <Vipul.Gupta@sun.com>
In-reply-to: <90E934FC4BBC1946B3C27E673B4DB0E46A6136F347@LLE2K7-BE01.mitll.ad.local>
To: "Blumenthal, Uri" <uri@ll.mit.edu>
Message-id: <5CBA9427-AA70-4128-8E63-FB5027F144BD@sun.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.930.3)
Content-type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-transfer-encoding: 7bit
References: <90E934FC4BBC1946B3C27E673B4DB0E46A6136F347@LLE2K7-BE01.mitll.ad.local>
Cc: "'tls@ietf.org'" <tls@ietf.org>, Vipul Gupta <Vipul.Gupta@sun.com>
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2009 16:22:10 -0000

I'm curious to learn why the discussion doesn't branch out to consider  
ECC (e.g. RFC4492) instead of RSA? ECC is supported in OpenSSL/Firefox/ 
Internet Explorer. Is that because ECC certificates aren't available  
from the popular Certificate Authorities? This should be less of an  
issue in an embedded/closed environment where one could use their own  
CA/cert.

vipul

p.s. For those unfamiliar with the performance advantages of ECC  
public key cryptography, especially at these higher key sizes, several  
papers are available at http://research.sun.com/projects/crypto.

On Apr 24, 2009, at 5:03 AM, Blumenthal, Uri wrote:

> Regarding the real-world trade-offs - it's fairly trivial. In my  
> experience it happened that I've heard back "We cannot  
> computationally afford RSA-XXXX, therefore it will be RSA-YYYY with  
> whatever protection level it gives. AES-128 is good, recognized, and  
> we can afford it - therefore it goes in regardless of whether it's  
> an overkill in the overall picture. We accept that the weakest  
> cryptographic link will be RSA, by a probable factor of Z^K." Then  
> the discussion would usually move to implementation details, with  
> other issues and weaknesses to address.
>
>
> ----- Original Message -----
> From: tls-bounces@ietf.org <tls-bounces@ietf.org>
> To: carlyoung@keycomm.co.uk <carlyoung@keycomm.co.uk>
> Cc: tls@ietf.org <tls@ietf.org>
> Sent: Fri Apr 24 05:38:52 2009
> Subject: Re: [TLS] Comparative cipher suite strengths
>
> carlyoung@keycomm.co.uk writes:
>
>> All I want to do is to advise them, and other customers, that  
>> migrating from
>> 3DES_EDE to AES-256 - without changing their certificates from 1024  
>> bits -
>> has provided no appreciable gain in security strength as the RSA  
>> keys are the
>> weakest link in the chain.
>
> It'd be interesting to hear what they say (off-list, if it's non- 
> public).  I
> have the feeling it'll be, as someone else in this thread put it,  
> "<crickets>"
> :-).  For example I've got users using 512-bit public keys with AES  
> because
> anything more heavyweight in the embedded device they produce makes  
> the
> handshake unworkable.  Their risk assessment was that given the  
> difference
> between no security (caused by connect attempts timing out, so  
> people connect
> unsecured) and good-enough security, they'll opt for the good-enough  
> security.
>
> (Incidentally, I'm always interested in real-world experiences that  
> people
> have had in terms of users making tradeoffs like this, if anyone's  
> got any
> interesting/illuminating stories I'd love to hear them).
>
> Peter.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email