On 9/21/13 at 5:07 PM, c...@funwithsoftware.org (Patrick Pelletier) wrote:

I'm inclined to agree with you, but you might be interested/horrified in the "1024 bits is enough for anyone" debate currently unfolding on the TLS list:


I think that this comment is a serious misinterpretation of the discussion on the TLS list.

The RFC under discussion is a Best Current Practices (BCP) RFC. Some people, including me, think that changes to the protocol or current implementations of the protocol are out of scope for a BCP document.

There are several implementations of TLS which will only do 1024 bit Diffie-Hellman ephemeral (DHE)[1]. The question as I see it is: Are we better off recommending forward security with 1024 bit DHE, with the possibility that large organizations can brute force it; or using the technique of having the client encrypt the keying material with the server's RSA key with the probability that the same large organizations have acquired the server's secret key.

Now there are good arguments on both sides.

The nearly complete database of who talks to who allows "interesting" communications [2] to be singled out for attacks on the 1024 bit DHE. Cracking all the DHE exchanges is probably more work than these large organizations can do with current technology. However, it is almost certain that these sessions will be readable in the not too distant future.

It is widely believed that most large sites have had their RSA secret keys compromised, which makes all these sessions are trivially readable.

I think that the vast majority of TLS list commenters want to have TLS 1.3 include fixes for the problems that have been identified. However, getting TLS 1.3 approved is at least a year, and getting it through the FIPS process will add at least another year. We already know that these large organizations work to delay better crypto, sometimes using the argument that we should wait for the perfect solution rather than incrementally adopt better solutions in the mean time.

Cheers - Bill

[1] Implementations which will only do 1024 bit DHE are said to include: Apache with OpenSSL, Java, and Windows crypt libraries (used by Internet Explorer). If longer keys are used by the other side, they abort the connection attempt.

[2] I actually believe NSA when they say they aren't interested in grandma's cookie recipe. I am, but I like good cookies. :0)

Bill Frantz        | Privacy is dead, get over    | Periwinkle
(408)356-8506 | it. | 16345 Englewood Ave www.pwpconsult.com | - Scott McNealy | Los Gatos, CA 95032

The cryptography mailing list

Reply via email to