Re: [TLS] security levels for TLS

["Yngve Nysaeter Pettersen" <yngve at opera.com>]

On Mon, 08 Oct 2007 15:21:42 +0200, Nikos Mavrogiannopoulos  
<nmav at gnutls.org> wrote:

> Hello,
>  It seems that in TLS the security level of a connection relies on
> several factors including the ciphersuite. In certificate
> authentication the certificate plays also a large factor in the
> security, and especially the public key of it, plus the signer's
> public key.
>
> This is not visible and neither understandable in everyday work with
> TLS by typical users. For example a browser connection to a site with
> a 512 bit RSA key that negotiated an 128 bit ciphersuite will not
> differ to a connection with a 2048 bit RSA key and the same
> ciphersuite, with regard to visible user data. This makes difficult
> for users to judge the security level of the connection and one must
> never assume that a user would understand what a 512 bit RSA key
> means.
>
> For this reason I think using some form of uniform security levels to
> indicated TLS security would be useful in end-applications. Those
> levels could be defined in steps (as in [0]), based on objective
> information of the key sizes in the certificates, the DHE prime and
> generator sizes (if applicable), the MAC output size of the
> ciphersuite as well as the key size of the cipher.
>
> Then the security level could be printed either as a number (70 bits
> of security) or as "weak, low, medium, high" based on some definitions
> of these terms... I could make it more detailed if there is some
> interest. What do you think?

Opera has been using a multi-level security indicator since we implemented  
SSL, the value of which is determined by input such as the symmetric  
keylengths, the public keys used in the certificate chain and the key  
exchange, OCSP results, certificate warnings, etc. We also display  
warnings if the strength of a method is less than we consider reasonably  
secure (at the moment, in 9.5 alpha, the limit for RSA/DH(E)/DSA is 900  
bits, but this can be increased in 100 bit steps by a preference).

Our position is that the weakest method defines the strength of a  
connection and a document, which for example means that we consider a  
AES-256 connection weak if one of the certificates use a 512 bit RSA key,  
or if a 2048 bit RSA key is used to secure a 56 bit DES connection.

The W3C Web Security Context (WSC) Working Group is presently considering  
at least one proposal [1] for how an improved security indicator can be  
defined, as well as numerous other issues in the area.

For more informations please see:

Opera's system:

  <URL:  
http://lists.w3.org/Archives/Public/public-wsc-wg/2006Nov/0036.html >
  (related) <URL:  
http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev >

W3C WSC WG:

  <URL: http://www.w3.org/2006/WSC/ >
  [1] <URL:  
http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScore >


--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls