Re: [TLS] Comparative cipher suite strengths

[carlyoung@keycomm.co.uk]

>On Thu 23/04/09 9:40 PM , Eric Rescorla ekr@networkresonance.com sent:
>>At Thu, 23 Apr 2009 15:05:15 -0400,
>>Steven M. Bellovin wrote:
>> Final comment: the original poster was not asking if they should use
>> AES-256; he was saying that they do use it, and should the RSA key size
>> be increased. I think we can all agree on that.
>
>I actually don't necessarily agree. If he's using AES-256 because
>he has data that needs to be kept *really secure*, then yes, he
>should use RSA > 1024. If he's using AES-256 because it's got
>a cool sounding name, then maybe not so much.

Firstly, I'd like to thank everyone for their comments and observations; it has been enlightening.

Eric - I really didn't choose AES-256; my customer (possibly US based and federal...?) chose this. We primarily use whatever cipher suites are available in TLS from OpenSSL, but do allow the customers to manually specify the cipher list.

All I want to do is to advise them, and other customers, that migrating from 3DES_EDE to AES-256 - without changing their certificates from 1024 bits - has provided no appreciable gain in security strength as the RSA keys are the weakest link in the chain. All we are doing in this case is using more processing power to provide the same level of security as we did previously.

I will try to make some generic advice available without getting evangelical about FIPS key-size recommendations. If they really want to use 15,360 bit RSA keys and AES-256, that is up to them [though I suspect the overhead involved in this would kill the product's performance dead in the water].

I will try to provide some generic advice, whilst referencing the FIPS publications, and suggest that AES-128 is perfectly good enough for them, but certificate key sizes should be increased to 2048 bits or possibly 3072.

Many thanks,

Carl