Re: [TLS] Comparative cipher suite strengths

Eric Rescorla <ekr@networkresonance.com> Thu, 23 April 2009 20:37 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 41E1D3A72ED for <tls@core3.amsl.com>; Thu, 23 Apr 2009 13:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fceXS8LH8ojw for <tls@core3.amsl.com>; Thu, 23 Apr 2009 13:37:09 -0700 (PDT)
Received: from kilo.networkresonance.com (unknown [207.105.81.80]) by core3.amsl.com (Postfix) with ESMTP id C03BA28C6FF for <tls@ietf.org>; Thu, 23 Apr 2009 13:36:38 -0700 (PDT)
Received: from kilo.local (unknown [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 3EF45188BFE; Thu, 23 Apr 2009 13:40:20 -0700 (PDT)
Date: Thu, 23 Apr 2009 13:40:19 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20090423150515.1b202723@cs.columbia.edu>
References: <E1Lwt0c-0006jy-La@wintermute01.cs.auckland.ac.nz> <C615D006.41DE%uri@ll.mit.edu> <20090423134052.21DB1188745@kilo.networkresonance.com> <20090423150515.1b202723@cs.columbia.edu>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090423204020.3EF45188BFE@kilo.networkresonance.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2009 20:37:10 -0000

At Thu, 23 Apr 2009 15:05:15 -0400,
Steven M. Bellovin wrote:
> Key length certainly isn't everything.  A monoalphabetic substitution
> on all 256 byte values has a key length of 256!, or about 1684 bits,
> but it is of course trivially crackable. 
> 
> That said, there's always Whit Diffie's attitude: having extra key bits
> is cheap; why not use them if you can?  Also, remember that many modern
> cryptanalytic techniques produce many key bits but not all, requiring a
> brute force search for the remainder.  So -- for a situation like that,
> more key bits are definitely better, albeit by an imponderable amount.

So, this is true for symmetric ciphers but not asymmetric ciphers.


> Final comment: the original poster was not asking if they should use
> AES-256; he was saying that they do use it, and should the RSA key size
> be increased.  I think we can all agree on that.

I actually don't necessarily agree. If he's using AES-256 because
he has data that needs to be kept *really secure*, then yes, he
should use RSA > 1024. If he's using AES-256 because it's got
a cool sounding name, then maybe not so much.

-Ekr