Re: [TLS] Comparative cipher suite strengths

[Eric Rescorla <ekr@networkresonance.com>]

At Wed, 22 Apr 2009 12:16:32 +0100,
carlyoung@keycomm.co.uk wrote:
> 
> 
> >>On Wed 22/04/09 11:35 AM , Simon Josefsson simon@josefsson.org sent:
> >>> The "key strength" would be limited by the weakest link in the suite
> >>> though wouldn't it, which, in this case, is the RSA keys? Or are you
> >>> saying that the additional security of the PRF, key derivation
> >>> mechanisms, and the entropy in the random data overcomes this?
> >>
> >> No, I'm saying that talking about trying to match anything to 
> >> AES-256 doesn't make sense. We don't know of any situation in
> >> which even AES-128 can be attacked.
> >
> >What we can always do, though, is to compare the amount of work needed
> >to break AES-256 with the amount of work needed to break RSA-y using
> >state-of-the-art attacks. It's possible that this imply y=15360.
> >
> >However, I agree that this is looking at things the wrong way. The
> >exercise should not have any practical consequences on what key sizes
> >you use. One should focus on selecting appropriate security level for
> >each algorithm. Today AES-128 and RSA-2048 will probably make
> >implementation bugs the weakest link for the majority of users.
> 
> Thanks for all the responses. I think the following text is a better way of describing what I meant and why I was asking:
> 
> We have a customer that mandated that we utilize AES-256 for the
> symmetric encryption keys used on our TLS sessions, so we have
> complied, and this works fine. Looking at implementation details
> from the customer, I found that they are using static X.509v3
> certificates (CA issued), where the public key size is only 1024
> bits.
> 
> Therefore, in my mind, they are getting a false sense of security
> from using AES-256 as the underlying strength of the whole TLS
> session is determined by the weakest point - in this case the 1024
> bit RSA keys, which NIST state to be equivalent to "80-bits" [when
> compared to a symmetric cipher I guess].

Sure, but they're getting a false sense of security from AES-256
as well. Let's say for the sake of argument that you had
a system that used static, randomly generated 256-bit AES
keys. Do you really think that's 2^{128} times more secure
than one that uses 128-bit AES?


> So, I would want to recommend to the customer that if they want a
> more secure TLS session, then they need to increase the RSA key
> sizes to "match" the symmetric key strength, as the overall security
> 'strength' of their TLS sessions comes down to their RSA key size
> [as it's lower comparably to AES-256].
> 
> Does this seem reasonable and make more sense than my original question?

It makes more sense to say you need a bigger RSA key, but IMO
the "match" thing is the wrong way to look at it. Rather, you
should decide on your minimum security level and choose algorithms
that support that. I don't think having them match is particularly
interesting once we're at the point where there is no plausible
non-analytic attack on the algorithm.

-Ekr