On 10/26/14, 1:26 PM, Paul Hoffman wrote:
*** Huge security issue ***5.4: Rationale: because Diffie-Hellman keys of 1024 bits are estimated to be roughly equivalent to 80-bit symmetric keys, it is better to use longer keys for the "DHE" family of cipher suites. Key lengths of at least 2048 bits are estimated to be roughly equivalent to 112-bit symmetric keys and might be sufficient for at least the next 10 years. See Section 5.5 for additional information on the use of modular Diffie-Hellman in TLS. Earlier, the document points to RFC 3766 (thank you), and that document has different estimates than what the draft has here. From RFC 3766: ==================== +-------------+-----------+--------------+--------------+ | System | | | | | requirement | Symmetric | RSA or DH | DSA subgroup | | for attack | key size | modulus size | size | | resistance | (bits) | (bits) | (bits) | | (bits) | | | | +-------------+-----------+--------------+--------------+ | 70 | 70 | 947 | 129 | | 80 | 80 | 1228 | 148 | | 90 | 90 | 1553 | 167 | | 100 | 100 | 1926 | 186 | | 150 | 150 | 4575 | 284 | | 200 | 200 | 8719 | 383 | | 250 | 250 | 14596 | 482 | +-------------+-----------+--------------+--------------+ 5.1. TWIRL Correction If the TWIRL machine becomes a reality, and if there are advances in parallelism for row reduction in factoring, then conservative estimates would subtract about 11 bits from the system security column of the table. Thus, in order to get 89 bits of security, one would need an RSA modulus of about 1900 bits. ==================== That is, with a TWIRL correction, 1024-bit keys yield about 65 bits of equivalent strength, not the 80 listed in the draft. A 2048-bit key would give about 92 bits of strength. Of course, the draft can refer to other documents that have happier estimates of strength for 1024-bit and 2048-bit keys, but that does not help the intended audience for this document.
Paul, would the following text be more accurate? Rationale: For various reasons, in practice DH keys are typically generated in lengths that are powers of two (e.g., 2^10 = 1024 bits, 2^11 = 2048 bits, 2^12 = 4096 bits). Because a DH key of 1228 bits would be roughly equivalent to only an 80-bit symmetric key [RFC3766], it is better to use keys longer than that for the "DHE" family of cipher suites. A DH key of 1926 bits would be roughly equivalent to a 100-bit symmetric key [RFC3766] and a DH key of 2048 bits might be sufficient for at least the next 10 years. See Section 5.5 for additional information on the use of modular Diffie- Hellman in TLS. As noted in [RFC3766], correcting for the emergence of a TWIRL machine would imply that 1024-bit DH keys yield about 65 bits of equivalent strength and that a 2048-bit DH key would yield about 92 bits of equivalent strength. Servers SHOULD authenticate using at least 2048-bit certificates. Your corrections are very much welcome. Peter _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
