IETF Logo Mail Archive

Re: [TLS] Comparative cipher suite strengths

"Steven M. Bellovin" <smb@cs.columbia.edu> Wed, 22 April 2009 14:21 UTC

Return-Path: <smb@cs.columbia.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EACB63A6D39 for <tls@core3.amsl.com>; Wed, 22 Apr 2009 07:21:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.484
X-Spam-Level:
X-Spam-Status: No, score=-6.484 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyO9SxxrD1nW for <tls@core3.amsl.com>; Wed, 22 Apr 2009 07:21:39 -0700 (PDT)
Received: from machshav.com (machshav.com [198.180.150.44]) by core3.amsl.com (Postfix) with ESMTP id CD8FD28C511 for <tls@ietf.org>; Wed, 22 Apr 2009 07:21:19 -0700 (PDT)
Received: by machshav.com (Postfix, from userid 512) id 85C7C328C1E; Wed, 22 Apr 2009 14:22:34 +0000 (GMT)
Received: from yellowstone.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 3021B3286ED; Wed, 22 Apr 2009 14:22:33 +0000 (GMT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by yellowstone.machshav.com (Postfix) with ESMTP id ED73529841D; Wed, 22 Apr 2009 10:22:30 -0400 (EDT)
Date: Wed, 22 Apr 2009 10:22:30 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Eric Rescorla <ekr@networkresonance.com>
Message-ID: <20090422102230.0f29cf54@cs.columbia.edu>
In-Reply-To: <20090422141411.4E310188553@kilo.networkresonance.com>
References: <90E934FC4BBC1946B3C27E673B4DB0E46A6136F31C@LLE2K7-BE01.mitll.ad.local> <20090422134627.C58A718852A@kilo.networkresonance.com> <20090422100123.4bc39978@cs.columbia.edu> <20090422141411.4E310188553@kilo.networkresonance.com>
Organization: Columbia University
X-Mailer: Claws Mail 3.7.0 (GTK+ 2.16.0; x86_64--netbsd)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2009 14:21:40 -0000

On Wed, 22 Apr 2009 07:14:11 -0700
Eric Rescorla <ekr@networkresonance.com> wrote:

> > Second, 1024-bit RSA is a much weaker link than 128-bit AES *today*
> > -- they should switch to 2048- or 3072-bit RSA even if they stick
> > with 128-bit AES.
> 
> This I only sort of agree with: symmetric algorithms come in
> relatively rough granularity. If I was happy with 80 bits of
> security (which is apparently what NIST claims for RSA-1024,
> though I've also heard 72), then there's no good reason
> to make my PK much slower just b/c NIST has declined to
> give me an 80-bit algorithm.
> 
Assuming, of course, that people realized how weak 1024-bit RSA is,
you're right.  Did people realize that?  *Do* people realize it?  When
I look at the number of CA certs in my browser that use 1024-bit keys,
I worry...

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

v2.23.0 | Report a Bug | By Email