On 2014-01-08 07:46, Man Ho (Certizen) wrote:
Hi,
I have noted that a lot of arguments being discussed regarding
deprecation of SHA-1 certificates, both intermediate CA certificate and
end-entity certificates.
However, we know SHA-2 is a set of algorithms SHA-224, SHA-256, SHA-384,
SHA-512, SHA-512/224, SHA-512/256. Which SHA-2 algorithm should CAs use?
It seems that most CAs who has SHA-2 root certificate trusted in Mozilla
products has chosen SHA-256. Do you know why not to choose SHA-512 given
that SHA-512 is stronger security strength than SHA-256?
I'm not convinced there is a need for the CA certificates themselves to
start using SHA-2. I think the only thing we care about for those is
a preimage attack. SHA-1 still provides 160 bit of security for that.
An 2048 bit RSA key only provides about 112 bit of security. For a 4096
bit key it's slightly over 128 bit, it's hard to find good numbers for
it, but it's around 140 bits. SHA-1 still seems fine for that.
SHA-256 would provide 128 bit for a collision attack and 256 bit for a
preimage attack.
I think it would be nice to have in the future, and would recommend
SHA-256 for new keys, but I see no need to start moving the CAs to
SHA-256 at this time.
For end user certificates I think it's different and we also have to be
more worried about the collision attack. I think for both 2048 and 4096
bit keys SHA-256 should be fine there. The entropy of at least 20 bit
in the certificate should make the collision attack harder and 4096 bit
certificates are probably going to be used in a system were the
total chain is supposed to provide 128 bit of security.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
