Hi all, When I visit an HTTPS link I can see what strength of encryption is used to encrypt the content (e.g., 256 bit AES) and if I dig a little I can even see the strength of the certificate used for authentication (e.g., 1024 bit RSA). What I can't seem to find anywhere is any information about the strength or nature of the cryptography used for key agreement.
Plainly the concern is that 256 bit AES does you no good if they AES keys were exchanged insecurely. The security of the connection is the lesser of the security of the content encryption, and the security of the key agreement protocol. An attacker who compromises the key agreement learns the AES key. In fact, the attacker could even store the entire session data for some future when the agreement protocol can be cracked, and then recover all of the data. The content encryption algorithm and strength is visibly reported by the browser, but it is likely providing a false sense of security. Almost certainly the key agreement protocol is less secure than the 256 bit AES the browser tells me my bank supports. Using NIST's published key equivalents, you need a 15360 bit Diffie Hellman key to equal the security of 256 bit AES, and I am pretty sure that it's not going to be using a 15360 bit key for agreement. Therefore the key agreement strength is then the more important value to check. For data that is to be secured beyond next year you need to know (per NIST) that the key agreement was done with 2048 bit keys or better. If you need to keep your secrets for a further 22 years you need to know that it's at least 3072 bits strong. Anything less and that "256 bit AES" note that pops up is really giving you a false sense of security. I was able to find an NSS page documenting the protocols that NSS supports, and in recent versions of NSS it's clearly capable of quite strong key agreement, possibly even using elliptic curves, but at the very least supports key strengths much stronger than the 3072 bit NIST recommends for the long run. That doesn't tell me, though, what I actually get when I connect to my bank. Is it negotiated? Are there minimums guaranteed by the protocols? If it's negotiated, is it susceptible to man in the middle attacks that would degrade the key strength? And in any case, before I type in the passwords which unlock my retirement savings (which I'd like to remain secret for a few more years) how do I check how secure the connection is? Thanks much for your kind replies! Justin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
