Re: [TLS] Comparative cipher suite strengths
Martin Rex <Martin.Rex@sap.com> Thu, 23 April 2009 20:02 UTC
Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 499E73A6EAD for <tls@core3.amsl.com>; Thu, 23 Apr 2009 13:02:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[AWL=0.522, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78iTbj6-86ju for <tls@core3.amsl.com>; Thu, 23 Apr 2009 13:02:08 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 3B2603A7293 for <tls@ietf.org>; Thu, 23 Apr 2009 13:00:51 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id n3NK26k7006775 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Apr 2009 22:02:06 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200904232002.n3NK258G029940@fs4113.wdf.sap.corp>
To: Nicolas.Williams@sun.com
Date: Thu, 23 Apr 2009 22:02:05 +0200
In-Reply-To: <20090423185550.GW1500@Sun.COM> from "Nicolas Williams" at Apr 23, 9 01:55:50 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2009 20:02:09 -0000
Nicolas Williams wrote: > > On Thu, Apr 23, 2009 at 01:13:13PM -0400, Daniel Brown wrote: > > Furthermore, adapting Eric's calculations below, to brute force > > 112-bit keys, assuming 80-bit keys are brute forcible today (let's > > 112-bit keys... Ah, you must be thinking 3DES. It's worth noting that > one of the major cryptographic improvements in AES over 3DES is the > block size. The block size has a major impact on things like re-keying > considerations. So even assuming equal strength of 3DES and AES and > that 112-bit keys are impossible to brute force now and forever, it'd > still be worthwhile to switch from 3DES to to AES-128. A few minor comments. The bit-size is probably about "comparable symmetric cipher strength" rather than actual key length. A 3DES with 112-bit keys would be a two-key-triple-DES, and it is IMHO from the 80-bit comparable symmetric strength ballpark. In common use is 3-key-triple-DES (usually as 3DES-EDE-CBC), which means a 168-bit key (when ignoring the parity bits) and 112-bit comparable symmetric strength. AES-128 is probably much faster in Software on common 32-bit and 64-bit CPUs than 3DES (but I don't know about the modern CPUs from the UltraSparc and Power architectures that have crypto support built-in). There is also a difference in the IV size (matching the cipher blocksize) between 3DES and AES-128. With 3DES you have additonal problems creating keys compared to AES-128: none of the 3 subkeys of 3DES must have the same value, and none of the subkeys should be one of the known DES weak keys. And as long as you don't reuse the same symmetric key all the time, there probably is a difference in the "attributed algorithm strength" based on the best-known attacks and the effective protection strength of a moderately sized archived piece of encrypted data. In case the encryption key is based on a human-memorized password (aka password-based encryption) rather than a strong random session key (as in normal TLS ciphersuites), then the effective strength of the protection might be *much* smaller than what the chosen symmetric algorithm can theoretically provide. -Martin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- [TLS] Comparative cipher suite strengths Carl Young
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Simon Josefsson
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Michael.G.Williams
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Michael D'Errico
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Florian Weimer
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Vipul Gupta
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Robert Relyea
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Bill Frantz
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Jeffrey A. Williams
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin