IETF Logo Mail Archive

Re: [TLS] Comparative cipher suite strengths

carlyoung@keycomm.co.uk Tue, 21 April 2009 16:01 UTC

Return-Path: <carlyoung@keycomm.co.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C58913A7021 for <tls@core3.amsl.com>; Tue, 21 Apr 2009 09:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.67
X-Spam-Level:
X-Spam-Status: No, score=-1.67 tagged_above=-999 required=5 tests=[AWL=0.930, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UAMrqzJzroY8 for <tls@core3.amsl.com>; Tue, 21 Apr 2009 09:01:50 -0700 (PDT)
Received: from smtp-out-58.livemail.co.uk (smtp-out-68.livemail.co.uk [213.171.216.68]) by core3.amsl.com (Postfix) with ESMTP id EB08A3A6B8E for <tls@ietf.org>; Tue, 21 Apr 2009 09:01:46 -0700 (PDT)
Received: from localhost (mail213-171-216-231.livemail.co.uk [213.171.216.231]) by smtp-out-58.livemail.co.uk (Postfix) with ESMTP id 2364C410094 for <tls@ietf.org>; Tue, 21 Apr 2009 17:03:02 +0100 (BST)
MIME-Version: 1.0
X-Mailer: AtMail PHP 5.4
Message-ID: <50078.1240329782@keycomm.co.uk>
To: TLS <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
X-Origin: 93.96.210.102
X-Atmail-Account: carlyoung@keycomm.co.uk
Date: Tue, 21 Apr 2009 17:03:02 +0100
From: carlyoung@keycomm.co.uk
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: carlyoung@keycomm.co.uk
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2009 16:01:50 -0000

>On Tue 21/04/09 4:55 PM , Eric Rescorla ekr@networkresonance.com sent:
>>At Tue, 21 Apr 2009 16:32:54 +0100, Carl Young wrote:
>> 
>> So, for TLS_RSA_WITH_3DES_EDE_CBC_SHA, assuming an RSA 1024 bit key-pair, 
>> would the effective strength of the connection be 80 bits or am I looking to 
>> compare apples and oranges?
>>
>> If I want to negotiate AES-256, should I really be using a 15360 bit RSA key 
>> or, again, am I looking at this in the wrong way?
>
>Well, I think that this last bit is certainly looking at it the wrong
>way. We don't know of any conditions under which AES-256 would be
>breakable and AES-128 would not be, so talking about "key strength"
>just doesn't make much sense at that level.

The "key strength" would be limited by the weakest link in the suite though wouldn't it, which, in this case, is the RSA keys? Or are you saying that the additional security of the PRF, key derivation mechanisms, and the entropy in the random data overcomes this?

I suppose what I'm trying to establish is that [hypothetically] if the technology existed to brute-force attack a 1024 bit RSA key pair in a short time-frame (say 1-2 days), would the attacker be able to recover the AES-256 keys used in the TLS session and decode the complete session, or is it more involved in that?

Thanks,

Carl

v2.23.0 | Report a Bug | By Email