IETF Logo Mail Archive

Re: [TLS] security levels for TLS

Nikos Mavrogiannopoulos <nmav@gnutls.org> Mon, 08 October 2007 16:15 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IevGD-000571-Kh; Mon, 08 Oct 2007 12:15:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IevGC-00055Z-Fy for tls@lists.ietf.org; Mon, 08 Oct 2007 12:15:12 -0400
Received: from fk-out-0910.google.com ([209.85.128.189]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IevG0-0003f4-BP for tls@lists.ietf.org; Mon, 08 Oct 2007 12:15:08 -0400
Received: by fk-out-0910.google.com with SMTP id z22so1535968fkz for <tls@lists.ietf.org>; Mon, 08 Oct 2007 09:14:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; bh=7YROxN+fD5484y4vTNnVc0xJKfIx+M2CxK/CPptpq7M=; b=RBPY4dkPnxiDKU/sUVAt2FjTn1QNj1KXng9MKeFz0TRp9FTUONFq1jG9BtBdQs5FqAAB9XYLZ+rqLOBq2Ha5fGnjE7uO3TYaLlrEo1x0ulY8nFB0wT70wcgq3BLSGp6DyduSQCVxZwdrzcWkat8eqUmCJgS6xby1zA4zwToB2Zw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; b=XmDaq4We9kmKZn0wqPDDey2q+6XD81ILHl2ViySzwPY+/JlZ0eLySfnS8TQMnWvGc7Ac1erfsH69LKnKKdgf4NHpefqCEg1ZKjcQthmfJFfRMqcdbPlqIm28PjTce4KJ5deBCXMlHfZnIDx6Gh2kpKL7AhJKjWJ2IrcjMfOs/78=
Received: by 10.82.106.14 with SMTP id e14mr5760846buc.1191860075952; Mon, 08 Oct 2007 09:14:35 -0700 (PDT)
Received: from crystal.lan ( [77.49.221.115]) by mx.google.com with ESMTPS id j9sm13315158mue.2007.10.08.09.14.32 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 08 Oct 2007 09:14:34 -0700 (PDT)
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: Eric Rescorla <ekr@networkresonance.com>
Subject: Re: [TLS] security levels for TLS
Date: Mon, 08 Oct 2007 19:14:28 +0300
User-Agent: KMail/1.9.6 (enterprise 0.20070907.709405)
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <20071008153218.DAEBB33C21@delta.rtfm.com>
In-Reply-To: <20071008153218.DAEBB33C21@delta.rtfm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200710081914.29437.nmav@gnutls.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Monday 08 October 2007, Eric Rescorla wrote:

> I think this is something that the TLS WG should avoid getting involved
> in.
I do agree that there is a lot of complexity in this issue, but the TLS WG is 
the only WG that could do this at least for TLS.

> 1. It's not really possible to come up with a single figure of merit
>    in an uncontroversial way. To take the simplest possible case, what
>    security level should we assign to TLS_RSA_WITH_NULL_SHA1 when the
>    key is 1024 bits? What's the security level of TLS_RSA_DHE_*
>    when the RSA key is 1024 bits and the DH key is 512? How about
>    the other way around?

This cannot be 100% objective by definition, but it can be based on a rational 
process. Of course the security level of those cryptosystems should be 
calculated using the weakest of the used algorithms.

I've thought about that while reading "Selecting cryptographic key sizes" 
(available at http://www.win.tue.nl/~klenstra/key.pdf)
Which gives an answer to your questions above. 

> 2. These numbers change over time as attacks get better. Unfortunately,
>    those changes aren't straightforward. For instance, it's not
>    really that easy to assess the security of HMAC-MD5 right now,
>    especially if the question you're interested in asking is how
>    secure it will be in a year (and the horizon you'd need to be
>    thinking about is more like 5 years).

I'm not talking about assessing individual algorithms, but rather give an 
estimation of security based on objective facts as the key size etc. Of 
course one cannot give precise security levels. 

> 3. It seems likely that once you get past a fairly modest algorithm
>    strength (40 bits? 64 bits?) the dominant security predictor
>    about a given system is implementation quality (remotely exploitable
>    vulns, RNG quality, ...), not algorithm strength. I don't know how
>    to assess that.

Indeed, but having at least an estimation of security based on some objective 
factor I think it is a good step forward. 


regards,
Nikos



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email