On 10/26/14, 1:26 PM, Paul Hoffman wrote:
On Oct 24, 2014, at 8:21 AM, Leif Johansson <[email protected]> wrote:
This email starts a 2 week WGLC for draft-ietf-uta-tls-bcp-06. Please
provide your comments no later than Friday the 7th of November.
The following is split into three sections in decreasing order of importance.
--Paul Hoffman
*** Huge security issue ***
5.4:
Rationale: because Diffie-Hellman keys of 1024 bits are estimated to
be roughly equivalent to 80-bit symmetric keys, it is better to use
longer keys for the "DHE" family of cipher suites. Key lengths of at
least 2048 bits are estimated to be roughly equivalent to 112-bit
symmetric keys and might be sufficient for at least the next
10 years. See Section 5.5 for additional information on the use of
modular Diffie-Hellman in TLS.
Earlier, the document points to RFC 3766 (thank you), and that document has
different estimates than what the draft has here. From RFC 3766:
====================
+-------------+-----------+--------------+--------------+
| System | | | |
| requirement | Symmetric | RSA or DH | DSA subgroup |
| for attack | key size | modulus size | size |
| resistance | (bits) | (bits) | (bits) |
| (bits) | | | |
+-------------+-----------+--------------+--------------+
| 70 | 70 | 947 | 129 |
| 80 | 80 | 1228 | 148 |
| 90 | 90 | 1553 | 167 |
| 100 | 100 | 1926 | 186 |
| 150 | 150 | 4575 | 284 |
| 200 | 200 | 8719 | 383 |
| 250 | 250 | 14596 | 482 |
+-------------+-----------+--------------+--------------+
5.1. TWIRL Correction
If the TWIRL machine becomes a reality, and if there are advances in
parallelism for row reduction in factoring, then conservative
estimates would subtract about 11 bits from the system security
column of the table. Thus, in order to get 89 bits of security, one
would need an RSA modulus of about 1900 bits.
====================
That is, with a TWIRL correction, 1024-bit keys yield about 65 bits of
equivalent strength, not the 80 listed in the draft. A 2048-bit key would give
about 92 bits of strength.
Of course, the draft can refer to other documents that have happier estimates
of strength for 1024-bit and 2048-bit keys, but that does not help the intended
audience for this document.
4.2:
o In many application protocols, clients can be configured to use
TLS even if the server has not advertised that TLS is mandatory or
even supported (e.g., this is often the case in messaging
protocols such as IMAP and XMPP).
What is "advertised" supposed to mean here? The above is certainly not true for
STARTTLS-style protocols. If this is meant to cover protocols that use URI schemes that might or
might not end is "s", those are not server advertisements. I'm not sure how to reword
this because it is too unclear.
I propose:
Peter
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
