On Fri, Mar 28, 2014, Hubert Kario wrote: > > Currently OpenSSL sorts ciphers according to key size first, then key > exchange > and finally the mac used. > > This does not result in a list sorted by strength (as the documentation would > suggests). Ciphers using 3DES use 168 bit key but because of meet > in the middle attack, the effective cipher strength is 112 bit, see [NIST > SP800-57] and [ENISA] for details. >
To address this I'd suggest we just change the security bits for 3DES ciphersuites to 112 bits in the SSL_CIPHER structure. The SSL_CIPHER structure has separate fields for key length and security bits. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
