[2603] in cryptography@c2.net mail archive
Re: safety of SSL 2?
daemon@ATHENA.MIT.EDU (EKR)
Tue Apr 28 22:29:23 1998
To: Eric Young <eay@cryptsoft.com>
Cc: cryptography@c2.net
From: EKR <ekr@terisa.com>
Date: 28 Apr 1998 19:03:18 -0700
In-Reply-To: Eric Young's message of "Wed, 29 Apr 1998 11:11:53 +1000 (EST)"
Eric Young <eay@cryptsoft.com> writes:
> On 28 Apr 1998, EKR wrote:
> > In short, even in the common static RSA case, SSLv3 offers superior
> > resistence to integrity attacks when exportable ciphers are used.
>
> I definitly agree with this, SSLv3 goed give better integrity security but who
> is doing 40bit real time decyryption yet?
Probably noone, but it's hypothetically possible, especially for long
term sessions.
> My view of the world tends not to be about impersonation, rather the retireval
> of sensitve information from the data streams. "Perfect Forward Secrecy" (to
> use the correct term :-) is what concerns me. SSL is capable of providing it,
> and TLS mandates ephemeral Diffie-Hellman ciphers that provide this, but none
> of these are widly deployed. In theory, Ephemeral RSA could be used with most
> of the RSA ciphers, but last time I tested, quite a few of the browsers were
> not happy with this when used with non-export ciphers.
It's not going to get any better. In TLS, it's forbidden to use
ephemeral RSA except when you're in export mode and the
server certificate>512 bits:
---snip---
It is not legal to send the server key exchange message for the
following key exchange methods:
RSA
RSA_EXPORT (when the public key in the server certificate is
less than or equal to 512 bits in length)
DH_DSS
DH_RSA
---snip---
> viable for SSLv3 as it is currently deployed in most application. One could
> argue that this is the case for hardware tokens etc, but with the forward
> security provided by seperate authentication and temporary encryption keys, no
> criminal or court will every be able to retrieve the data without using brute
> force.
Agreed.
> So from my point of view, the "Perfect Forward Secrecy" is more of an issue
> that 40 bit keys :-).
For the threat model you're dealing using, I think this
is wise.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."
