Re: [TLS] Comparative cipher suite strengths
carlyoung@keycomm.co.uk Wed, 22 April 2009 11:15 UTC
Return-Path: <carlyoung@keycomm.co.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9EF5A28C416 for <tls@core3.amsl.com>; Wed, 22 Apr 2009 04:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.134
X-Spam-Level:
X-Spam-Status: No, score=-2.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hx5in9eAoOo for <tls@core3.amsl.com>; Wed, 22 Apr 2009 04:15:18 -0700 (PDT)
Received: from smtp-out-56.livemail.co.uk (smtp-out-50.livemail.co.uk [213.171.216.50]) by core3.amsl.com (Postfix) with ESMTP id 7EA1D28C476 for <tls@ietf.org>; Wed, 22 Apr 2009 04:15:17 -0700 (PDT)
Received: from localhost (mail213-171-216-231.livemail.co.uk [213.171.216.231]) by smtp-out-56.livemail.co.uk (Postfix) with ESMTP id 73F2248C9CA; Wed, 22 Apr 2009 12:16:32 +0100 (BST)
MIME-Version: 1.0
X-Mailer: AtMail PHP 5.4
Message-ID: <51912.1240398992@keycomm.co.uk>
To: TLS <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
X-Origin: 93.96.210.102
X-Atmail-Account: carlyoung@keycomm.co.uk
Date: Wed, 22 Apr 2009 12:16:32 +0100
From: carlyoung@keycomm.co.uk
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: carlyoung@keycomm.co.uk
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2009 11:15:19 -0000
>>On Wed 22/04/09 11:35 AM , Simon Josefsson simon@josefsson.org sent: >>> The "key strength" would be limited by the weakest link in the suite >>> though wouldn't it, which, in this case, is the RSA keys? Or are you >>> saying that the additional security of the PRF, key derivation >>> mechanisms, and the entropy in the random data overcomes this? >> >> No, I'm saying that talking about trying to match anything to >> AES-256 doesn't make sense. We don't know of any situation in >> which even AES-128 can be attacked. > >What we can always do, though, is to compare the amount of work needed >to break AES-256 with the amount of work needed to break RSA-y using >state-of-the-art attacks. It's possible that this imply y=15360. > >However, I agree that this is looking at things the wrong way. The >exercise should not have any practical consequences on what key sizes >you use. One should focus on selecting appropriate security level for >each algorithm. Today AES-128 and RSA-2048 will probably make >implementation bugs the weakest link for the majority of users. Thanks for all the responses. I think the following text is a better way of describing what I meant and why I was asking: We have a customer that mandated that we utilize AES-256 for the symmetric encryption keys used on our TLS sessions, so we have complied, and this works fine. Looking at implementation details from the customer, I found that they are using static X.509v3 certificates (CA issued), where the public key size is only 1024 bits. Therefore, in my mind, they are getting a false sense of security from using AES-256 as the underlying strength of the whole TLS session is determined by the weakest point - in this case the 1024 bit RSA keys, which NIST state to be equivalent to "80-bits" [when compared to a symmetric cipher I guess]. So, I would want to recommend to the customer that if they want a more secure TLS session, then they need to increase the RSA key sizes to "match" the symmetric key strength, as the overall security 'strength' of their TLS sessions comes down to their RSA key size [as it's lower comparably to AES-256]. Does this seem reasonable and make more sense than my original question? Regards, Carl
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- [TLS] Comparative cipher suite strengths Carl Young
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Simon Josefsson
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Michael.G.Williams
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Michael D'Errico
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Florian Weimer
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Vipul Gupta
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Robert Relyea
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Bill Frantz
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Jeffrey A. Williams
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin