IETF Logo Mail Archive

Re: [TLS] Comparative cipher suite strengths

Eric Rescorla <ekr@networkresonance.com> Fri, 01 May 2009 05:45 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC84A3A6B4F for <tls@core3.amsl.com>; Thu, 30 Apr 2009 22:45:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.033
X-Spam-Level:
X-Spam-Status: No, score=-1.033 tagged_above=-999 required=5 tests=[AWL=-1.051, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCVk3JUCmjzl for <tls@core3.amsl.com>; Thu, 30 Apr 2009 22:45:39 -0700 (PDT)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id D37D73A6AA7 for <tls@ietf.org>; Thu, 30 Apr 2009 22:45:38 -0700 (PDT)
Received: from kilo.local (unknown [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 3857D19668A; Thu, 30 Apr 2009 22:50:09 -0700 (PDT)
Date: Thu, 30 Apr 2009 22:50:08 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Bill Frantz <frantz@pwpconsult.com>
In-Reply-To: <r02010500-1049-4DA06D4F35F311DE824F0030658F0F64@[192.168.1.5]>
References: <20090423185550.GW1500@Sun.COM> <r02010500-1049-4DA06D4F35F311DE824F0030658F0F64@[192.168.1.5]>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090501055009.3857D19668A@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2009 05:45:40 -0000

At Thu, 30 Apr 2009 18:56:35 -0700,
Bill Frantz wrote:
> 
> Nicolas.Williams@sun.com (Nicolas Williams) on Thursday, April 23, 2009 wrote:
> 
> >The more likely explanation is that *some* imaginable
> >cryptanalytic advances could reduce the effective strength of AES in
> >such a way that longer keys remain more secure than shorter keys.
> 
> When I think of the reasons that NSA/DOD could have for requiring AES-128
> for secret and AES-192 for top secret, I think they may be looking at the
> whole cryptographic system. While symmetric cyphers have some solid math
> behind them, other parts of the system, such as generating random numbers
> for the keys are frequently more akin to black magic.
> 
> If my random numbers were only 75% random against some attack, with AES-192
> I would still have 128 bits of strength against a brute force attack. With
> AES-128, I'd only have 96 bits, and I would be quite concerned when
> protecting top secret data.

I don't think this lines up particularly well with how CSPRNGs
work. You start with some random seed information S which you
use to seed the CSPRNG. That seed has some number of bits of
entropy. Call it E. You then generate your cryptographic key.
No matter how long that key is, the total strength of the system
is the cost of brute-forcing S, i.e., 2^E operations. This is true
whether the symmetric cipher is 128 bits or 256 bits.

-Ekr

v2.23.0 | Report a Bug | By Email