On 19/08/2009 20:30, Justin wells wrote:
Plainly the concern is that 256 bit AES does you no good if they AES
keys were exchanged insecurely. The security of the connection is the
lesser of the security of the content encryption, and the security of
the key agreement protocol....
Yes, this is always the case in that the security is generally as strong
as the weakest link.
So what is the weakest link, and how strong does it need to be?
Plainly, if you say the weakest link should be as strong as the
strongest link, you have a problem. It can never be so, because these
things move at different speeds, and even if you construct a perfect
balancing exercise in the beginning, consider that the SSL protocol is
fundamentally 15 years in the tooth, so things may get all out of balance.
Instead what we tend to do in the crypto design world is to try and make
components pareto-secure, which is to say, strong enough that we don't
really care. So the question is different: how strong are all the
components?
Current view is that AES of all forms is strong enough, as is SHA2.
SHA1 is under a bit of a cloud. MD5 is deprecated. RSA is strong
enough 2k and beyond.
Which leads to two questions: how to switch from SHA1 (and MD5) to SHA2
or SHA3, and how soon to deprecate RSA1024 and below...
The content encryption algorithm and strength is visibly reported by
the browser, but it is likely providing a false sense of security.
Almost certainly the key agreement protocol is less secure than the
256 bit AES the browser tells me my bank supports. Using NIST's
published key equivalents, you need a 15360 bit Diffie Hellman key to
equal the security of 256 bit AES, and I am pretty sure that it's not
going to be using a 15360 bit key for agreement.
Sure, what you are saying is that numbers are easily comparible. Using
Keylength.com you can even compare from RSA to numbers from AES.
But, anyone relying on those numbers is almost certainly living under a
false sense of security. That's because (a) they are really there for
cryptographers and at a stretch, protocol designers, (b) you are
concentrating on stuff that is more or less unbreakable to start with,
and ignoring the big picture. Just to the left and to the right is
stuff that is fragile beyond belief, and is routinely broken. So,
unless you are an academic with a remit of just doing crypto, and
therefore you are allowed to avoid discussions that involve real world
security, we here in application space are totally uninterested in
whether 256 matches to 15360, or which of the 8 methods on the above
link are better.
(E.g., recent attacks against AES256 have put a cloud over it, and the
cryptographers are suggesting the unbeleivable; that AES256 may be
weaker than AES128. *BUT* the news is full right now of the indictment
of Gonzalez for 10^8 breaches of security. The real question then is
not whether there are enough bits in SSL, or AES256 or AES128, but
whether you are using the right protocol or the right security module or
even the right security paradigm....)
iang
PS: the answer is no.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
