[147283] in cryptography@c2.net mail archive
Re: [Cryptography] RSA equivalent key length/strength
daemon@ATHENA.MIT.EDU (David Kuehling)
Tue Sep 24 09:48:48 2013
X-Original-To: cryptography@metzdowd.com
From: David Kuehling <dvdkhlng@posteo.de>
To: Patrick Pelletier <code@funwithsoftware.org>
Date: Tue, 24 Sep 2013 13:26:53 +0200
In-Reply-To: <523E34A6.2010004@funwithsoftware.org> (Patrick Pelletier's
message of "Sat, 21 Sep 2013 17:07:02 -0700")
Cc: cryptography@metzdowd.com, "Perry E. Metzger" <perry@piermont.com>,
Adam Back <adam@cypherspace.org>, Paul Hoffman <paul.hoffman@vpnc.org>,
Peter Fairbrother <zenadsl6186@zen.co.uk>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2189594595514446476==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
--=-=-=
Content-Transfer-Encoding: quoted-printable
>>>>> "Patrick" =3D=3D Patrick Pelletier <code@funwithsoftware.org> writes:
> On 9/14/13 11:38 AM, Adam Back wrote:
>> Tin foil or not: maybe its time for 3072 RSA/DH and 384/512 ECC?
> I'm inclined to agree with you, but you might be interested/horrified
> in the "1024 bits is enough for anyone" debate currently unfolding on
> the TLS list:
> http://www.ietf.org/mail-archive/web/tls/current/msg10009.html
I'm even more horrified, that the Apache webserver uses 1024-bit Diffie
Hellman exchange for TLS/SSL with no way to increase group size other
than modifying and recompiling the sources. Now that everybody calls
for website operators to enable perfect-forward secrecy, we may in fact
see an overall security downgrade.
http://grokbase.com/t/apache/dev/1393kx4qn8/
http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html
(Of course you can also get PFS via ECDHE, but many production webserver
installations run older openssl versions that only support DHE)
David
=2D-=20
GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk2.gpg
Fingerprint: B63B 6AF2 4EEB F033 46F7 7F1D 935E 6F08 E457 205F
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAlJBdv0ACgkQk15vCORXIF/cEwEAuK4Ol/cg3v/8m+p4jHcGiR+8
o2VSOICp3byo5pCkK5UA/0P4EsITlboJ+mqF9JY2x2HEJI/CZJV8mnkYzb7sZVgS
=Bfdw
-----END PGP SIGNATURE-----
--=-=-=--
--===============2189594595514446476==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2189594595514446476==--
