[Pkg-gnutls-maint] Bug#476441: libgnutls26: chooses AES128 over AES256 (again)

Fri May 16 14:14:55 UTC 2008

clone 476441 -1 -2
reassign -1 mutt
retitle -1 mutt: should provide options for cipher selections
severity -1 wishlist
retitle -2 libgnutls26: use the same names for ciphers as OpenSSL
severity -2 normal
kthxbye

On Fri, May 16, 2008 at 10:41:20AM +0200, Simon Josefsson wrote:
>Given the discussion so far at:
>
>http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2792

I think it's silly to intentionally weaken part of the cryptosystem.
The weakest part of the cryptosystem is currently the symmetric cipher.
If you used AES256, the weakest part would be the either the MAC or the
public key.  That means that the strength of the cryptosystem lies in
the public key, where it belongs.  Any performance hit from the four
extra rounds in AES256 is only really relevant on very old
architectures, like m68k, which already takes two minutes to log in over
ssh.

You said that "to match a 256 bit symmetric key size, you need a ~15kb
large RSA key or a ~500b large DSA key."  500 bits is not a large key.
I can generate keys that are much larger than that, depending on the
protocol.  1024 bits is the standard, and some applications allow much
larger keys (OpenPGP and P.1363, for example).  If I used a 8192-bit p,
then I could even make q a 512-bit prime.  8000-bit keys are not that
far off in the future for high security applications.

Also, AES256 was the default in libgnutls13, so this change is a
regression.

>I'm inclined to close this as a wontfix report.

Please don't close it.  If you don't want to implement it, you may tag
it as wontfix.

>You may want to review our documentation on key sizes:
>
>http://www.gnu.org/software/gnutls/manual/html_node/Selecting-cryptographic-key-sizes.html

I'm aware that symmetric and asymmetric keys have different sizes for
the same strength.  I've read Applied Cryptography cover to cover,
several times.

>That table is based on research in:
>
>http://citeseer.ist.psu.edu/lenstra99selecting.html

I take exception to this data.  The lower bound for 2008 is 1279 bits,
which is way, way too low.  An appropriate minimum key size for anything
that will last more than a year is 2048.  I wouldn't even dream of using
anything symmetric with less than 128 bits these days, unless it was
3DES-EDE3 (which is equivalent to 112 bits).

>We are open for discussion if you can provide better justification why
>changing to AES-256 is warranted.
>
>Note that changing the default for all programs is different from
>_allowing_ AES-256 to be used in each program.  I believe you should be
>able to use AES-256 with all programs that use GnuTLS.  If a program
>using GnuTLS doesn't allow you to use AES-256, please file a bug on that
>program.

Unfortunately mutt doesn't have that knob, and even if it did, it would
be hard to use, since GnuTLS doesn't have the same names for ciphers and
doesn't have the same categories either.  I think this solution is only
acceptable if the names are the same, because otherwise, the config
files break, depending on how the programs are compiled.

Note that this happens with OpenLDAP, too.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20080516/f44bf6c9/attachment-0001.pgp 