[146941] in cryptography@c2.net mail archive
Re: [Cryptography] What TLS ciphersuites are still OK?
daemon@ATHENA.MIT.EDU (james hughes)
Mon Sep 9 23:49:14 2013
X-Original-To: cryptography@metzdowd.com
From: james hughes <hughejp@mac.com>
In-reply-to: <522E4259.9030203@cs.tcd.ie>
Date: Mon, 09 Sep 2013 19:59:09 -0700
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
james hughes <hughejp@mac.com>, Ben Laurie <ben@links.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============3688828766709596402==
Content-type: multipart/alternative;
boundary="Apple-Mail=_4ABA4884-792D-40D7-A78E-50C14486CE14"
--Apple-Mail=_4ABA4884-792D-40D7-A78E-50C14486CE14
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
On Sep 9, 2013, at 2:49 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> =
wrote:
> On 09/09/2013 05:29 PM, Ben Laurie wrote:
>> Perry asked me to summarise the status of TLS a while back ... =
luckily I
>> don't have to because someone else has:
>>=20
>> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>>=20
>> In short, I agree with that draft. And the brief summary is: there's =
only
>> one ciphersuite left that's good, and unfortunately its only =
available in
>> TLS 1.2:
>>=20
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>=20
> I don't agree the draft says that at all. It recommends using
> the above ciphersuite. (Which seems like a good recommendation
> to me.) It does not say anything much, good or bad, about any
> other ciphersuite.
>=20
> Claiming that all the rest are no good also seems overblown, if
> that's what you meant.
I retract my previous "+1" for this ciphersuite. This is hard coded 1024 =
DHE and 1024bit RSA.=20
=46rom=20
http://en.wikipedia.org/wiki/Key_size
>> As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent =
in strength to 80-bit symmetric keys
80 bit strength. Hard coded key sizes. Nice.=20
AES 128 with a key exchange of 80 bits. What's a factor of 2^48 among =
friends=85.=20
additionally, as predicted in 2003=85=20
>> 1024-bit keys are likely to become crackable some time between 2006 =
and 2010 and that
>> 2048-bit keys are sufficient until 2030.
>> 3072 bits should be used if security is required beyond 2030
They were off by 3 years.
What now?=20=
--Apple-Mail=_4ABA4884-792D-40D7-A78E-50C14486CE14
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=windows-1252
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><br><div><div>On Sep 9, 2013, at 2:49 PM, Stephen Farrell <<a =
href=3D"mailto:stephen.farrell@cs.tcd.ie">stephen.farrell@cs.tcd.ie</a>>=
; wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">On 09/09/2013 05:29 PM, Ben Laurie wrote:<br><blockquote =
type=3D"cite">Perry asked me to summarise the status of TLS a while back =
... luckily I<br>don't have to because someone else has:<br><br><a =
href=3D"http://tools.ietf.org/html/draft-sheffer-tls-bcp-00">http://tools.=
ietf.org/html/draft-sheffer-tls-bcp-00</a><br><br>In short, I agree with =
that draft. And the brief summary is: there's only<br>one ciphersuite =
left that's good, and unfortunately its only available in<br>TLS =
1.2:<br><br>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256<br></blockquote><br>I =
don't agree the draft says that at all. It recommends using<br>the above =
ciphersuite. (Which seems like a good recommendation<br>to me.) It does =
not say anything much, good or bad, about any<br>other =
ciphersuite.<br><br>Claiming that all the rest are no good also seems =
overblown, if<br>that's what you =
meant.</blockquote></div><div><br></div><div>I retract my previous "+1" =
for this ciphersuite. This is hard coded 1024 DHE and 1024bit =
RSA. </div><div><br></div><div>From </div><div><span =
class=3D"Apple-tab-span" style=3D"white-space:pre"> </span><a =
href=3D"http://en.wikipedia.org/wiki/Key_size">http://en.wikipedia.org/wik=
i/Key_size</a></div><div><blockquote type=3D"cite"><blockquote =
type=3D"cite">As of 2003 RSA Security claims that 1024-bit RSA =
keys are equivalent in strength to 80-bit symmetric =
keys</blockquote></blockquote><br></div><div>80 bit strength. Hard coded =
key sizes. Nice. </div><div><br></div><div>AES 128 with a key =
exchange of 80 bits. What's a factor of 2^48 among =
friends=85. </div><div><br></div><div>additionally, as predicted in =
2003=85 <br><blockquote type=3D"cite"><blockquote type=3D"cite"><span=
style=3D"background-color: rgb(255, 255, 255); font-family: sans-serif; =
font-size: 13px; line-height: 19px; ">1024-bit keys are likely to become =
crackable some time between 2006 and 2010 and =
that</span></blockquote></blockquote><blockquote type=3D"cite"><blockquote=
type=3D"cite"><span style=3D"background-color: rgb(255, 255, 255); =
font-family: sans-serif; font-size: 13px; line-height: 19px; ">2048-bit =
keys are sufficient until =
2030.</span></blockquote></blockquote><blockquote =
type=3D"cite"><blockquote type=3D"cite"><span style=3D"background-color: =
rgb(255, 255, 255); font-family: sans-serif; font-size: 13px; =
line-height: 19px; ">3072 bits should be used if security is required =
beyond 2030</span></blockquote></blockquote></div><div>They were off by =
3 years.</div><div><br></div><div>What now? </div></body></html>=
--Apple-Mail=_4ABA4884-792D-40D7-A78E-50C14486CE14--
--===============3688828766709596402==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3688828766709596402==--
