Re: [TLS] Comparative cipher suite strengths
"Steven M. Bellovin" <smb@cs.columbia.edu> Thu, 23 April 2009 19:04 UTC
Return-Path: <smb@cs.columbia.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F04F828C71F for <tls@core3.amsl.com>; Thu, 23 Apr 2009 12:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.745
X-Spam-Level:
X-Spam-Status: No, score=-5.745 tagged_above=-999 required=5 tests=[AWL=-0.635, BAYES_05=-1.11, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFW8TVWdz+HX for <tls@core3.amsl.com>; Thu, 23 Apr 2009 12:04:28 -0700 (PDT)
Received: from machshav.com (machshav.com [198.180.150.44]) by core3.amsl.com (Postfix) with ESMTP id 795433A68FB for <tls@ietf.org>; Thu, 23 Apr 2009 12:04:09 -0700 (PDT)
Received: by machshav.com (Postfix, from userid 512) id E124232923E; Thu, 23 Apr 2009 19:05:17 +0000 (GMT)
Received: from yellowstone.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 7A49D32923C; Thu, 23 Apr 2009 19:05:16 +0000 (GMT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by yellowstone.machshav.com (Postfix) with ESMTP id 7455429830F; Thu, 23 Apr 2009 15:05:15 -0400 (EDT)
Date: Thu, 23 Apr 2009 15:05:15 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Eric Rescorla <ekr@networkresonance.com>
Message-ID: <20090423150515.1b202723@cs.columbia.edu>
In-Reply-To: <20090423134052.21DB1188745@kilo.networkresonance.com>
References: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz> <C615D006.41DE%uri@ll.mit.edu> <20090423134052.21DB1188745@kilo.networkresonance.com>
Organization: Columbia University
X-Mailer: Claws Mail 3.7.0 (GTK+ 2.16.0; x86_64--netbsd)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2009 19:04:29 -0000
On Thu, 23 Apr 2009 06:40:51 -0700 Eric Rescorla <ekr@networkresonance.com> wrote: > How is it that the same government which can't seem to efficiently > conduct elections or clean up after Hurricane Katrina is suddenly > infallible when it comes to crypto? Is it just because the message > comes from Fort Meade or what? Infallible? No, of course not. And no government has ever fielded a system that they knew the enemy could break -- and of course many governments have been wrong. That may include the NSA -- Heath's master's thesis concludes that the Soviets likely broke NSA's KW-7 encryptor circa 1970. (She also concluded that the Navy's key-handling practices were awful.) Recently declassified documents say that NSA started having great cryptanalytic success of its own against the Soviets in the late 1970s. But -- remember Biham, Biryukov, and Shamir's 2^78 impossible differential attack on 31-round Skipjack? 2^78 isn't an impressive result against an 80-bit cipher, and the attack could not be extended to the full 32 rounds in any case. But it was interesting that there was this slight improvement over brute force, so I brought it up in conversation with a friend who knows a fair amount about the subject. His comment? "A 2^78 attack against an 80-bit cipher? That's not an attack, that's good engineering." Maybe NSA really does understand this stuff that well... One more point: NSA may or may not be able to speak ex cathedra on strength; we'll never know. They have said publicly that they trust 256-bit AES a lot, and a lot more than they trust 128-bit AES. That statement is *completely* unprecedented. The really interesting question is this: what will NSA ever do, if they ever figure out how to crack AES-256? Officially decertify it for TS use, thereby telling the world they think it's no longer that strong? Let government agencies continue to use it, when they know it's breakable? That would be a great discussion to listen to.... > > In any case, I'm not saying that AES-256 isn't more secure than > AES-128. It probably is, if only because it has more rounds in > 256-bit mode. What I'm saying is that there is no practical sense in > which we can conclude it's 2^{128} times stronger. Either the best > attack is brute force, in which case there's simply no plausible > attack on AES-128, or it's not in which case who knows what the > relative strengths of the algorithms are? > Key length certainly isn't everything. A monoalphabetic substitution on all 256 byte values has a key length of 256!, or about 1684 bits, but it is of course trivially crackable. That said, there's always Whit Diffie's attitude: having extra key bits is cheap; why not use them if you can? Also, remember that many modern cryptanalytic techniques produce many key bits but not all, requiring a brute force search for the remainder. So -- for a situation like that, more key bits are definitely better, albeit by an imponderable amount. Final comment: the original poster was not asking if they should use AES-256; he was saying that they do use it, and should the RSA key size be increased. I think we can all agree on that. --Steve Bellovin, http://www.cs.columbia.edu/~smb
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- [TLS] Comparative cipher suite strengths Carl Young
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Simon Josefsson
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Michael.G.Williams
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Michael D'Errico
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Florian Weimer
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Vipul Gupta
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Robert Relyea
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Bill Frantz
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Jeffrey A. Williams
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin