IETF Logo Mail Archive

Re: [TLS] Comparative cipher suite strengths

"Steven M. Bellovin" <smb@cs.columbia.edu> Thu, 23 April 2009 19:04 UTC

Return-Path: <smb@cs.columbia.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F04F828C71F for <tls@core3.amsl.com>; Thu, 23 Apr 2009 12:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.745
X-Spam-Level:
X-Spam-Status: No, score=-5.745 tagged_above=-999 required=5 tests=[AWL=-0.635, BAYES_05=-1.11, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFW8TVWdz+HX for <tls@core3.amsl.com>; Thu, 23 Apr 2009 12:04:28 -0700 (PDT)
Received: from machshav.com (machshav.com [198.180.150.44]) by core3.amsl.com (Postfix) with ESMTP id 795433A68FB for <tls@ietf.org>; Thu, 23 Apr 2009 12:04:09 -0700 (PDT)
Received: by machshav.com (Postfix, from userid 512) id E124232923E; Thu, 23 Apr 2009 19:05:17 +0000 (GMT)
Received: from yellowstone.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 7A49D32923C; Thu, 23 Apr 2009 19:05:16 +0000 (GMT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by yellowstone.machshav.com (Postfix) with ESMTP id 7455429830F; Thu, 23 Apr 2009 15:05:15 -0400 (EDT)
Date: Thu, 23 Apr 2009 15:05:15 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Eric Rescorla <ekr@networkresonance.com>
Message-ID: <20090423150515.1b202723@cs.columbia.edu>
In-Reply-To: <20090423134052.21DB1188745@kilo.networkresonance.com>
References: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz> <C615D006.41DE%uri@ll.mit.edu> <20090423134052.21DB1188745@kilo.networkresonance.com>
Organization: Columbia University
X-Mailer: Claws Mail 3.7.0 (GTK+ 2.16.0; x86_64--netbsd)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2009 19:04:29 -0000

On Thu, 23 Apr 2009 06:40:51 -0700
Eric Rescorla <ekr@networkresonance.com> wrote:

> How is it that the same government which can't seem to efficiently
> conduct elections or clean up after Hurricane Katrina is suddenly
> infallible when it comes to crypto? Is it just because the message
> comes from Fort Meade or what?

Infallible?  No, of course not.  And no government has ever fielded a
system that they knew the enemy could break -- and of course many
governments have been wrong.  That may include the NSA -- Heath's
master's thesis concludes that the Soviets likely broke NSA's KW-7
encryptor circa 1970.  (She also concluded that the Navy's key-handling
practices were awful.)  Recently declassified documents say that NSA
started having great cryptanalytic success of its own against the
Soviets in the late 1970s.

But -- remember Biham, Biryukov, and Shamir's 2^78 impossible
differential attack on 31-round Skipjack?  2^78 isn't an impressive
result against an 80-bit cipher, and the attack could not be extended
to the full 32 rounds in any case.  But it was interesting that there
was this slight improvement over brute force, so I brought it up in
conversation with a friend who knows a fair amount about the subject.
His comment?  "A 2^78 attack against an 80-bit cipher?  That's not an
attack, that's good engineering."  Maybe NSA really does understand
this stuff that well...

One more point: NSA may or may not be able to speak ex cathedra on
strength; we'll never know.  They have said publicly that they trust
256-bit AES a lot, and a lot more than they trust 128-bit AES.  That
statement is *completely* unprecedented.  The really interesting
question is this: what will NSA ever do, if they ever figure out how to
crack AES-256?  Officially decertify it for TS use, thereby telling the
world they think it's no longer that strong?  Let government agencies
continue to use it, when they know it's breakable?  That would be a
great discussion to listen to....
> 
> In any case, I'm not saying that AES-256 isn't more secure than
> AES-128. It probably is, if only because it has more rounds in
> 256-bit mode. What I'm saying is that there is no practical sense in
> which we can conclude it's 2^{128} times stronger. Either the best
> attack is brute force, in which case there's simply no plausible
> attack on AES-128, or it's not in which case who knows what the
> relative strengths of the algorithms are?
>
Key length certainly isn't everything.  A monoalphabetic substitution
on all 256 byte values has a key length of 256!, or about 1684 bits,
but it is of course trivially crackable. 

That said, there's always Whit Diffie's attitude: having extra key bits
is cheap; why not use them if you can?  Also, remember that many modern
cryptanalytic techniques produce many key bits but not all, requiring a
brute force search for the remainder.  So -- for a situation like that,
more key bits are definitely better, albeit by an imponderable amount.

Final comment: the original poster was not asking if they should use
AES-256; he was saying that they do use it, and should the RSA key size
be increased.  I think we can all agree on that.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

v2.23.0 | Report a Bug | By Email