On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: > a) The very reference you give says that to be equivalent to 128 > bits symmetric, you'd need a 3072 bit RSA key - but they require a > 2048 bit key. And the same reference says that to be equivalent to > 256 bits symmetric, you need a 521 bit ECC key - and yet they > recommend 384 bits. So, no, even by that page, they are not > recommending "equivalent" key sizes - and in fact the page says just > that.
Suite B is specified for 128 and 192 bit security levels, with the 192 bit level using ECC-384, SHA-384, and AES-256. So it seems like if there is a hint to be drawn from the Suite B params, it's about AES-192. > (b) most of the Internet is way behind recommendations that are now > out there for everyone. Google recently switched to 2048 bit keys; > hardly any other sites have done so, and some older software even > has trouble talking to Google as a result. Not to mention that our entire PKI system (as well as TLS < 1.2, ie the versions actually supported in browsers) rely on the security of SHA-1, an algorithm which has a public 2**68 (IIRC) collision attack and which was phased out by NIST years ago. Fortunately now TLS 1.2 is finally being forced into most browsers thanks to BEAST, Lucky13, RC4 breaks, etc but still we're bound to see some major problems on the PKI side when a practical chosen prefix SHA-1 collision is found, as I expect at least a few widely used CAs have still not adopted randomized serial numbers and will have the MD5 experience all over again. > On the symmetric side, I've already agreed that NSA's approval > indicated that the considered AES secure 10 years ago, but if > they've since learned otherwise but think they are and will remain > the only ones with a viable attack for a while, they would be > unlikely to admit it by changing their recommendation now. Worth noting that NIST has announced plans to create AEAD modes based on Keccak. It will be interesting to see how quickly AES-GCM is phased out of Suite B once that occurs. Jack _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
