Re: [openssl.org #3120] Minimum size of DH

Sun, 30 Mar 2014 15:13:20 -0700 

On Fri, Mar 28, 2014 at 07:44:53PM +0100, Dr. Stephen Henson wrote:

> Certainly. Nothing is set in stone at this stage. It's only part of the master
> branch and wont appear in a release for a while yet.
> 
> [...]
> 
> Yes I'm aware of some of the problems here. I do want OpenSSL to reject
> attempts to do silly things by default (e.g. ridiculously small key sizes).
> 
> [...]
> 
> What are your thoughts on level 1? Do you think those requirements are
> reasonable? Currently (subject to change!) level 1 is the default level.

One way to address my concerns, beyond simple adjustment of which
level excludes any given mechanism or parameter value, is perhaps
to shift from numbered levels to named levels.

Numbered levels are suggestive of a simple linear scale of increasing
goodness (it goes to 11), and naive users will be tempted to max
out the security level without much thought.

In practice, things are more nuanced, and perhaps named levels would be
better.  An off the cuff example might be:

    - Permissive:       Maximal interoperability even with relatively
                        weak crypto, but completely broken parameters
                        that nobody uses may be excluded.

    - Interoperable:    Strongly interoperable with mainstream and even
                        laggard systems that are still in use.  80-bit
                        floor.

    - Restrictive:      Mostly interoperable with mainstream systems, some
                        laggard systems may be left behind.  Mostly a 112
                        bit floor, but prime DH remains at 1024 bits (IIRC
                        80-bit equivalent) due to interoperability issues.

    - Aggressive:       Mostly 128-bit and up across the board, with prime
                        DH at 2048 bits (IIRC 112-bit equivalent), again
                        for interop reasons.

What's new in the security levels is the fact that they control
multiple facets of the TLS handshake rather than just the symmetric
key length, this remains, but with named levels there is more room
to deviate from SP-800 where needed, and the names might help some
users avoid the temptation to maximize security at the cost of
interoperability.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to