Re: [TLS] A la carte handshake negotiation

Peter Gutmann <> Thu, 23 July 2015 02:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 81D331A8883 for <>; Wed, 22 Jul 2015 19:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NjplAKS6wNau for <>; Wed, 22 Jul 2015 19:50:55 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 86E321A8861 for <>; Wed, 22 Jul 2015 19:50:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1437619854; x=1469155854; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=P43wgJtUGGRkdTWtTZLtWjjKC4cJoeMuJEFh740iqZg=; b=wQyEwLz5qr06Ys4keDTfc+rB+iJ/h9O4uF7wGtN/DbierZyzY+u9QCFm J9ibnQuiGbWoWQqkRntovqtdMxKU6Uzk5T3Or8Wrk0YHSjqsVt0F1GCOt VpiujmVvfsNREPfGOKXZecCVOJwTop0GllbTgqE8rd/n4tldMsg4O+2uy xLQZVQHA65dSOXXh8Ve+KF7dwFr1rM6CAH9z+Fv9DA+bFzuy12DOjtKwh GCFw0xpAt9l3MAvVlyeJ+h9v6G/f8wdb1w0Bk4n6Bj2nTb0h0ElIZKkIF FFqtbMznDnEPo2oV3oSQ9MKAolf+Ed0G6LSxzrPPLijae/lD45agjpRad Q==;
X-IronPort-AV: E=Sophos;i="5.15,527,1432555200"; d="scan'208";a="30120602"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 23 Jul 2015 14:50:52 +1200
Received: from ([]) by ([]) with mapi id 14.03.0174.001; Thu, 23 Jul 2015 14:50:52 +1200
From: Peter Gutmann <>
To: "<>" <>
Thread-Topic: [TLS] A la carte handshake negotiation
Thread-Index: AdDE8mNqdt9tbqxyQpSNJggOd5zCFg==
Date: Thu, 23 Jul 2015 02:50:52 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] A la carte handshake negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Jul 2015 02:50:59 -0000

Kyle Rose <> writes:

>In that case, we should dispense with any larger key sizes and recommend
>exactly one per algorithm, and vary only on algorithm. Adopting this would
>simplify things even further by reducing the cipher set list by an order of


>Sadly, I'm guessing there are numerological requirements in various standards
>and regulations that make it necessary to keep both AES-128 and AES-256
>around, for example. There are also a ton of existing 2048-bit RSA keys that
>aren't going anywhere for a while.

You could just say "anything over 1536 bits, 1536 or 2048 recommended", which
would deal with both.

>I'm also skeptical of statements like "Using any known technology it's
>unlikely that humans can ever get beyond about 2^^100 operations", because
>that's true exactly up until it isn't.

Right, but if you're going to use that argument then AES is breakable until it
isn't, you can't find SHA-256 collisions until you can, quantum crypto can be
broken by whoever you're afraid of, and so on.

One thing we've become pretty good at doing is taking current progress on
breaking crypto and mapping out what'll happen in the future, to the point
where there have been zero sudden breaks of properly-designed algorithms (DES,
AES, IDEA, SHA, RSA, DH, and so on), ever.  In every case we've been able to
see, from a long way off, what's in store.

And to see what's in store for PKCs, you can't use the computers used by
mathematicians/numerologists, which all have infinite amounts of
zero-cycle-time memory, but the ones that actually exist in the real world.
For a 1024-bit RSA key that's around 40 terabytes of memory for the final
step, and a 1280-bit key would require roughly a petabyte of RAM, all in a
single machine or a single-machine equivalent (a standard distributed cluster
won't work because of interconnect latency problems).  So you'd need to
dedicate the entire Tianhe-2 to breaking a single 1280-bit key (I don't know
how its memory architecture will affect performance, I just chose the world's
most powerful supercomputer because that happens to be barely enough to attack
a 1280-bit key, so I'm not sure how many years of time you'd need).

Or you could just backdoor the server, which is what'll actually happen to
anyone who wants to get in.  Heck, just the interest on the power bill for the
Tianhe-2 (if you assume the computer itself comes for free) would be enough to
bribe most of the maintenance staff to plug in a trojan USB key for a minute
or two while they're cleaning.

And if you really are concerned about China secretly building a second
Tianhe-2 and using it to attack your mail server, just change your key once a
year and you're OK.