[Pkg-openssl-devel] Bug#747453: Arbitrary key size limitations causing hard-to-diagnose problems when establishing a connection

Kurt Roeckx kurt at roeckx.be
Fri May 9 18:27:02 UTC 2014


On Fri, May 09, 2014 at 07:55:32PM +0200, Benny Baumann wrote:
> 
> --> I'd call even 16384 bit RSA when using AES256 a sane and expected
> configuration.

I agree that it has about an equivalant strength.  I'm not sure I
agree that it's an expected combination or configuration.  But if
your security level should be 256 bits, you need to fix more than
the RSA key.  For instance you would also need to use hash
algorithms that have a 256 bit security level which might mean
something SHA256 or SHA512 depending for what you're using it for.
And as far as I know there isn't a GCM cipher with SHA512, and you
really should be using GCM.

Also please note that that NIST recommendation is only about
cryptography and doesn't say anything about SSL/TLS.

> > As such the severity should be lower than
> > serious.
> >
> > I have no opinion on normal / important.
> Okay, let's settle in the middle at grave, shall we?

Grave would be higher than serious.  If you're not happy with
normal feel free to set it to important.

> The DSA limit by the way doesn't even make sense when comparing it with
> RSA: RSA and DSA are assumed to be roughly equal in strength when
> measured in bits of key size used (putting away some flaws of DSA for a
> moment). Given this assumption it's illogical to limit RSA at 4096 bit
> while keeping DSA open up to 10000 bit.

It makes little sense to me why the limit for DSA should be there.

> That's a different story altogether as most XMPP server software doesn't
> even properly allow to setup cipher strings or accepted TLS versions
> (BTW: ejabberd in Debian supports neither, just BTW).

If there is no bug about this yet, please file it.

> > And AES128 really is all you need.
> Says who?

Vincent Rijmen (one of the creators of AES) said:
"On the choice between AES256 and AES128: I would never
consider using AES256, just like I don't wear a helmet when
I sit inside my car. It's too much bother for the epsilon
improvement in security."


Kurt



More information about the Pkg-openssl-devel mailing list