Hi Ian, Thanks for your reply! It's very enlightening, and I do agree that in the real world there are a lot of issues other than the cryptographic issues. Just to be sure, I am not suggesting that the weakest link should be as strong as the strongest link. I am just trying to understand how weak the weakest link is.
So far I haven't been able to find any documentation, or anyone, who can tell me what I actually get when I connect to a website. For all I know my browser is exchanging keys with a 256bit RSA key and then telling me that it's established a secure connection. As you say RSA >2k is secure enough for most purposes, per NIST a 2048bit key is good enough for data that needs protection only to 2031, after which 3072 bit keys are acceptable. All I'm trying to do is sort out whether I've got that level of protection or not, and it seems tough to figure out. For Firefox I'd like to make the recommendation that the text that reads "Connection Encryption: High-grade Encryption (AES 256bit)" and the like be altered to instead state the strength of the weakest link, which in almost all cases is presumably the key exchange. Even AES 256 weakened by the recent attack is still providing some 110 to 112 bits of security, which is most likely still better than whatever is being used for key agreement. If you are really going to assert that this is not the important factor then perhaps some caveats should be added to the "it is unlikely anyone read this page" message that Firefox prints just after giving the content encryption strength. Justin On Aug 20, 6:02 am, Ian G <i...@iang.org> wrote: > On 19/08/2009 20:30, Justin wells wrote: > > > Plainly the concern is that 256 bit AES does you no good if they AES > > keys were exchanged insecurely. The security of the connection is the > > lesser of the security of the content encryption, and the security of > > the key agreement protocol.... > > Yes, this is always the case in that the security is generally as strong > as the weakest link. > > So what is the weakest link, and how strong does it need to be? > > Plainly, if you say the weakest link should be as strong as the > strongest link, you have a problem. It can never be so, because these > things move at different speeds, and even if you construct a perfect > balancing exercise in the beginning, consider that the SSL protocol is > fundamentally 15 years in the tooth, so things may get all out of balance. > > Instead what we tend to do in the crypto design world is to try and make > components pareto-secure, which is to say, strong enough that we don't > really care. So the question is different: how strong are all the > components? > > Current view is that AES of all forms is strong enough, as is SHA2. > SHA1 is under a bit of a cloud. MD5 is deprecated. RSA is strong > enough 2k and beyond. > > Which leads to two questions: how to switch from SHA1 (and MD5) to SHA2 > or SHA3, and how soon to deprecate RSA1024 and below... > > > > > The content encryption algorithm and strength is visibly reported by > > the browser, but it is likely providing a false sense of security. > > Almost certainly the key agreement protocol is less secure than the > > 256 bit AES the browser tells me my bank supports. Using NIST's > > published key equivalents, you need a 15360 bit Diffie Hellman key to > > equal the security of 256 bit AES, and I am pretty sure that it's not > > going to be using a 15360 bit key for agreement. > > Sure, what you are saying is that numbers are easily comparible. Using > Keylength.com you can even compare from RSA to numbers from AES. > > But, anyone relying on those numbers is almost certainly living under a > false sense of security. That's because (a) they are really there for > cryptographers and at a stretch, protocol designers, (b) you are > concentrating on stuff that is more or less unbreakable to start with, > and ignoring the big picture. Just to the left and to the right is > stuff that is fragile beyond belief, and is routinely broken. So, > unless you are an academic with a remit of just doing crypto, and > therefore you are allowed to avoid discussions that involve real world > security, we here in application space are totally uninterested in > whether 256 matches to 15360, or which of the 8 methods on the above > link are better. > > (E.g., recent attacks against AES256 have put a cloud over it, and the > cryptographers are suggesting the unbeleivable; that AES256 may be > weaker than AES128. *BUT* the news is full right now of the indictment > of Gonzalez for 10^8 breaches of security. The real question then is > not whether there are enough bits in SSL, or AES256 or AES128, but > whether you are using the right protocol or the right security module or > even the right security paradigm....) > > iang > > PS: the answer is no. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
