Re: [TLS] key sizes in TLS.
Nikos Mavrogiannopoulos <nmav@gnutls.org> Tue, 11 June 2013 10:12 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23A8C21F8ECE for <tls@ietfa.amsl.com>; Tue, 11 Jun 2013 03:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NLMeb2IAQHWz for <tls@ietfa.amsl.com>; Tue, 11 Jun 2013 03:12:07 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) by ietfa.amsl.com (Postfix) with ESMTP id 81B6A21F8F3E for <tls@ietf.org>; Tue, 11 Jun 2013 03:12:07 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id 10so6838238lbf.36 for <tls@ietf.org>; Tue, 11 Jun 2013 03:12:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9lFLq1fzx5KnteEJid/i1Vrw554ArUxoXtltTNXgt0w=; b=i2djlHZAxDWbIahniWczvGAMPHV3BjFZqRUF6lkZWBOIcT6bnbJwla2HSQxAYJ6xYR 86bR00zHNflV6SkkEEgr3SzcNmBCxCCoiwWda+4e74FMb3nxL4afAvzv18dlvKFK352Q 0NMjC4sKttwqvgeUwy34ZaZEFCJvE3Wp1qh76okbMoDxLHvJWGwVN8CSnw2XMoUrPTHS +TZVnVE/9zvDMJ7rdiN3aMPBqHVSUlrTAAKQ6XKYt9eh4qwtepqmuTSV7pz2xLFSOYnc ZBx94K2z6XDCxXTj4mvTIPtTU5zpMmhlHCU4FnntHBPxbwuqqADOZQWx2B9danVgbo7+ 8wSw==
MIME-Version: 1.0
X-Received: by 10.152.20.6 with SMTP id j6mr7106217lae.2.1370945526202; Tue, 11 Jun 2013 03:12:06 -0700 (PDT)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.112.74.114 with HTTP; Tue, 11 Jun 2013 03:12:06 -0700 (PDT)
In-Reply-To: <CDDB5625.2EB5B%qdang@nist.gov>
References: <CDDB5625.2EB5B%qdang@nist.gov>
Date: Tue, 11 Jun 2013 12:12:06 +0200
X-Google-Sender-Auth: t5_Uch9TnzwbmD0oL8p_jGBKoDM
Message-ID: <CAJU7zaKJ6yHEdwuHKqDBF00yPpZwg=PzjuXz+A=m4f1ts-aYng@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: "Dang, Quynh" <quynh.dang@nist.gov>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] key sizes in TLS.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 10:12:12 -0000
On Mon, Jun 10, 2013 at 4:08 PM, Dang, Quynh <quynh.dang@nist.gov> wrote: > I don’t know if it would make sense to specify (1) a method for which the > client can use to let the server know what key size(s) (DSS or RSA and DH) > are acceptable and (2) a method for which the server can let the client know > what key size(s) is/are acceptable to the server for the client's > authentication. You are correct. That is an omission from the DHE key exchange in TLS. At least in gnutls it caused several connection failure issues once we required a DH group of more than 768 bits in the client. Overall my impression is that the DHE-based ciphersuites are pretty much neglected. There are also optimizations that could be done (e.g., the server specifying the size of the generator's subgroup), but no-one ever bothered to update the protocol. > Even with some (or proposed) ECC-based cipher suites, there is similar issue > about key sizes for client’s authentication. Which ones do you mean? The ECC-based ciphersuites (with named curves) have the size of the curve hard-coded so I have noticed no such issues there. In that aspect they are better than their DH counterparts. If you mean the ECC ciphersuites with explicit curves I think you should reconsider their usage [0]. regards, Nikos [0]. https://www.cosic.esat.kuleuven.be/publications/private/article-2216.pdf
- [TLS] key sizes in TLS. Dang, Quynh
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos
- Re: [TLS] key sizes in TLS. Dang, Quynh
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos
- Re: [TLS] key sizes in TLS. Peter Gutmann
- Re: [TLS] key sizes in TLS. Nikos Mavrogiannopoulos