Re: [TLS] Security today

To: Mike <mike-list at pobox.com>
Subject: Re: [TLS] Security today
From: Yoav Nir <ynir at checkpoint.com>
Date: Sat, 29 Mar 2008 18:03:20 +0300
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <47ED921E.9050305 at pobox.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <47EC2A75.2050303 at pobox.com> <8E5D6D9B-C7CC-4687-9BD5-586856D3A9C7 at checkpoint.com> <47ED921E.9050305 at pobox.com>
Sender: tls-bounces at ietf.org

On Mar 29, 2008, at 3:49 AM, Mike wrote:
>> RSA labs' estimate seems a little pessimistic to me, as there has  
>> been a
>> 64-bit attack on SHA-1 for 2 years and even the original researchers
>> haven't got the computing resources to mount it. Sure, the NSA  
>> might be
>> able to do it, but not your average hacker, competitor or
>> moderately-sized botnet.  Given that, I don't see how we scale to
>> 80-bits in two years.
>
> Even if it's 10 years or 20, why have such a small security margin?
> Plus I believe that part of the lifetime estimate takes into account
> the expected advances in factoring methods.
>
> Put another way, if someone came to you and said they needed to
> protect millions of transactions worth billions of dollars, would
> you suggest 1024-bit RSA with RC4/MD5?  That's the reality we live
> in today.

We do trust this. You mention having read books by Schneier. No doubt  
you've come across the parable of the 50-foot pole. 1024-bit RSA with  
RC4 and HMAC-MD5 may not be the best cryptography we have today, but  
it's enough that no attacker to date has targeted the cryptography.  
All hacking and cracking you hear about is done without any attempt at  
cryptanalysis. Rather, it's done through poor database permissions,  
poor input sanitizations or social engineering.

Sure, I'd love everyone to move to 4096-bit RSA or the ECC eqivalent,  
along with AES-256 and HMAC-SHA-256, but I don't think you can point  
to any attacks that this would stop. In particular, it wouldn't save  
this schools records:
http://xkcd.com/327/

If you've read the recently-published IAB draft about what makes a  
successful protocol, then yes, it looks like government intervention  
is the best way to push forward more secure cryptography. Even a non- 
binding standard for e-commerce would more likely than not push  
certificate vendors to comply. In the meantime, browsers could add  
visual indications for the cryptography strength, but that's nothing  
the IETF should standardize.
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Security today
  - From: Mike

References:
- [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Yoav Nir
- Re: [TLS] Security today
  - From: Mike

Prev by Date: Re: [TLS] Next steps for Client Certificate URL
Next by Date: Re: [TLS] Next steps for Client Certificate URL
Previous by thread: Re: [TLS] Security today
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread

Re: [TLS] Security today

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.