[TLS] security levels for TLS

To: tls at lists.ietf.org
Subject: [TLS] security levels for TLS
From: "Nikos Mavrogiannopoulos" <nmav at gnutls.org>
Date: Mon, 8 Oct 2007 16:21:42 +0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; bh=Rpyizvm/Foy5xO0Qjy0yCvmKFtR4hvPvst8/b3kgLO8=; b=Egr+c3kE5e+l2k3bdX8UXXChx0hUEVJ2uWFNLzUQOHNpEUVCiuXagFKkFgxzWlzfkeo4/SfxET6pmvaILywQx2xNuaNrHb0SBW3/8m9ls1E62jbUK5J+3D6Nq2scQ9p17YMbtB0IXmObSZOw7HQ0uO94zyfFfudL5n/Bitmuzp4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=RERE1vvAGytYCHl0HhIwX146TCmi+Koj0bCquqvXFlHy3LxmyjKPrn/TzRD5PNdX3xqe8ckeG9vBIJJuDkoROAVMtI74csmBs7faF0CbJ2KnpuxEdU9WDGF1BR0eOLTmbfXxL/h15/F8pFHQtlijvaxw9CHzCWmbz8hwdyQd934=
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

Hello,
 It seems that in TLS the security level of a connection relies on
several factors including the ciphersuite. In certificate
authentication the certificate plays also a large factor in the
security, and especially the public key of it, plus the signer's
public key.

This is not visible and neither understandable in everyday work with
TLS by typical users. For example a browser connection to a site with
a 512 bit RSA key that negotiated an 128 bit ciphersuite will not
differ to a connection with a 2048 bit RSA key and the same
ciphersuite, with regard to visible user data. This makes difficult
for users to judge the security level of the connection and one must
never assume that a user would understand what a 512 bit RSA key
means.

For this reason I think using some form of uniform security levels to
indicated TLS security would be useful in end-applications. Those
levels could be defined in steps (as in [0]), based on objective
information of the key sizes in the certificates, the DHE prime and
generator sizes (if applicable), the MAC output size of the
ciphersuite as well as the key size of the cipher.

Then the security level could be printed either as a number (70 bits
of security) or as "weak, low, medium, high" based on some definitions
of these terms... I could make it more detailed if there is some
interest. What do you think?

regards,
Nikos

[0]. "Practical Cryptography", Fergunson, Schneier

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] security levels for TLS
  - From: Paul Hoffman
- Re: [TLS] security levels for TLS
  - From: Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS
  - From: Eric Rescorla

Prev by Date: Re: [TLS] comments & clarifications for rfc4507bis
Next by Date: Re: [TLS] security levels for TLS
Previous by thread: [TLS] comments & clarifications for rfc4507bis
Next by thread: Re: [TLS] security levels for TLS
Index(es):
- Date
- Thread

[TLS] security levels for TLS

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.