Re: [TLS] Security today

[Mike <mike-list at pobox.com>]

>> Put another way, if someone came to you and said they needed to
>> protect millions of transactions worth billions of dollars, would
>> you suggest 1024-bit RSA with RC4/MD5?  That's the reality we live
>> in today.
> 
> We do trust this. You mention having read books by Schneier. No doubt 
> you've come across the parable of the 50-foot pole.

Sure, the attacker runs around the pole.  The problem with that story
is that the pole in question is not nearly 50 feet tall.  It could be
easily jumped over, perhaps after a few years of improvements to
athletic shoes.

And actually I do trust 1024-bit RSA keys.  But only for signatures
such as those used for DHE_RSA.  You really do need to have a unique
key for every transaction (or possibly limited to a very small number
of transactions), which is what DHE provides.

> 1024-bit RSA with 
> RC4 and HMAC-MD5 may not be the best cryptography we have today, but 
> it's enough that no attacker to date has targeted the cryptography. All 
> hacking and cracking you hear about is done without any attempt at 
> cryptanalysis. Rather, it's done through poor database permissions, poor 
> input sanitizations or social engineering.

The existence of other flaws is not an excuse to get the cryptography
wrong.  At some point it will be easy to break 1024-bit keys, and
with the mountain of transactions piling up, ALL USING THE EXACT SAME
KEYS, an attacker can simply passively record network traffic, wait a
few years and then run RSACrack1024.exe.

The damage is already done, by the way, if anybody is recording such
network traffic.  There is no way to prevent them from recovering all
that data, names, passwords, account numbers, transaction details.
And if you think you can just change your password and stop making
transactions on an offending site, you're wrong; your password change
will be recorded along with the rest of it.

> Sure, I'd love everyone to move to 4096-bit RSA or the ECC eqivalent, 
> along with AES-256 and HMAC-SHA-256, but I don't think you can point to 
> any attacks that this would stop. In particular, it wouldn't save this 
> schools records:
> http://xkcd.com/327/

Funny cartoon, but that is not a cryptography problem.

> If you've read the recently-published IAB draft about what makes a 
> successful protocol, then yes, it looks like government intervention is 
> the best way to push forward more secure cryptography. Even a 
> non-binding standard for e-commerce would more likely than not push 
> certificate vendors to comply. In the meantime, browsers could add 
> visual indications for the cryptography strength, but that's nothing the 
> IETF should standardize.

You can forget all that and just convince software developers to use
DHE_RSA or DHE_DSS (or the EC equivalents) in preference to RSA_* in
all TLS clients and servers (especially servers).  Even with 80-bit-
secure 1024-bit DH parameters, we'd be a lot better off.

Mike
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls