Re: [TLS] Comparative cipher suite strengths
Vipul Gupta <Vipul.Gupta@sun.com> Fri, 24 April 2009 16:22 UTC
Return-Path: <Vipul.Gupta@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74BEB3A6CE1 for <tls@core3.amsl.com>; Fri, 24 Apr 2009 09:22:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FovxYMOt11kd for <tls@core3.amsl.com>; Fri, 24 Apr 2009 09:22:09 -0700 (PDT)
Received: from mail-mta.sunlabs.com (edge.sunlabs.com [204.153.12.50]) by core3.amsl.com (Postfix) with ESMTP id 9B2233A6C37 for <tls@ietf.org>; Fri, 24 Apr 2009 09:22:09 -0700 (PDT)
Received: from mail.sunlabs.com ([152.70.2.186]) by mail-mta.sfvic.sunlabs.com (Sun Java System Messaging Server 6.1 HotFix 0.02 (built Aug 25 2004)) with ESMTP id <0KIM005RP5J0KG10@mail-mta.sfvic.sunlabs.com> for tls@ietf.org; Fri, 24 Apr 2009 09:23:24 -0700 (PDT)
Received: from [152.70.69.170] by mail.sunlabs.com (Sun Java System Messaging Server 6.1 HotFix 0.02 (built Aug 25 2004)) with ESMTPSA id <0KIM00FFC5IZX1Q0@mail.sunlabs.com> for tls@ietf.org; Fri, 24 Apr 2009 09:23:24 -0700 (PDT)
Date: Fri, 24 Apr 2009 09:23:23 -0700
From: Vipul Gupta <Vipul.Gupta@sun.com>
In-reply-to: <90E934FC4BBC1946B3C27E673B4DB0E46A6136F347@LLE2K7-BE01.mitll.ad.local>
To: "Blumenthal, Uri" <uri@ll.mit.edu>
Message-id: <5CBA9427-AA70-4128-8E63-FB5027F144BD@sun.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.930.3)
Content-type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-transfer-encoding: 7bit
References: <90E934FC4BBC1946B3C27E673B4DB0E46A6136F347@LLE2K7-BE01.mitll.ad.local>
Cc: "'tls@ietf.org'" <tls@ietf.org>, Vipul Gupta <Vipul.Gupta@sun.com>
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2009 16:22:10 -0000
I'm curious to learn why the discussion doesn't branch out to consider ECC (e.g. RFC4492) instead of RSA? ECC is supported in OpenSSL/Firefox/ Internet Explorer. Is that because ECC certificates aren't available from the popular Certificate Authorities? This should be less of an issue in an embedded/closed environment where one could use their own CA/cert. vipul p.s. For those unfamiliar with the performance advantages of ECC public key cryptography, especially at these higher key sizes, several papers are available at http://research.sun.com/projects/crypto. On Apr 24, 2009, at 5:03 AM, Blumenthal, Uri wrote: > Regarding the real-world trade-offs - it's fairly trivial. In my > experience it happened that I've heard back "We cannot > computationally afford RSA-XXXX, therefore it will be RSA-YYYY with > whatever protection level it gives. AES-128 is good, recognized, and > we can afford it - therefore it goes in regardless of whether it's > an overkill in the overall picture. We accept that the weakest > cryptographic link will be RSA, by a probable factor of Z^K." Then > the discussion would usually move to implementation details, with > other issues and weaknesses to address. > > > ----- Original Message ----- > From: tls-bounces@ietf.org <tls-bounces@ietf.org> > To: carlyoung@keycomm.co.uk <carlyoung@keycomm.co.uk> > Cc: tls@ietf.org <tls@ietf.org> > Sent: Fri Apr 24 05:38:52 2009 > Subject: Re: [TLS] Comparative cipher suite strengths > > carlyoung@keycomm.co.uk writes: > >> All I want to do is to advise them, and other customers, that >> migrating from >> 3DES_EDE to AES-256 - without changing their certificates from 1024 >> bits - >> has provided no appreciable gain in security strength as the RSA >> keys are the >> weakest link in the chain. > > It'd be interesting to hear what they say (off-list, if it's non- > public). I > have the feeling it'll be, as someone else in this thread put it, > "<crickets>" > :-). For example I've got users using 512-bit public keys with AES > because > anything more heavyweight in the embedded device they produce makes > the > handshake unworkable. Their risk assessment was that given the > difference > between no security (caused by connect attempts timing out, so > people connect > unsecured) and good-enough security, they'll opt for the good-enough > security. > > (Incidentally, I'm always interested in real-world experiences that > people > have had in terms of users making tradeoffs like this, if anyone's > got any > interesting/illuminating stories I'd love to hear them). > > Peter. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- [TLS] Comparative cipher suite strengths Carl Young
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Simon Josefsson
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Michael.G.Williams
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Michael D'Errico
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Florian Weimer
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Vipul Gupta
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Robert Relyea
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Bill Frantz
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Jeffrey A. Williams
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin