Re: [TLS] Comparative cipher suite strengths

[Vipul Gupta <Vipul.Gupta at sun.com>]

I'm curious to learn why the discussion doesn't branch out to consider  
ECC (e.g. RFC4492) instead of RSA? ECC is supported in OpenSSL/Firefox/ 
Internet Explorer. Is that because ECC certificates aren't available  
from the popular Certificate Authorities? This should be less of an  
issue in an embedded/closed environment where one could use their own  
CA/cert.

vipul

p.s. For those unfamiliar with the performance advantages of ECC  
public key cryptography, especially at these higher key sizes, several  
papers are available at http://research.sun.com/projects/crypto.

On Apr 24, 2009, at 5:03 AM, Blumenthal, Uri wrote:

> Regarding the real-world trade-offs - it's fairly trivial. In my  
> experience it happened that I've heard back "We cannot  
> computationally afford RSA-XXXX, therefore it will be RSA-YYYY with  
> whatever protection level it gives. AES-128 is good, recognized, and  
> we can afford it - therefore it goes in regardless of whether it's  
> an overkill in the overall picture. We accept that the weakest  
> cryptographic link will be RSA, by a probable factor of Z^K." Then  
> the discussion would usually move to implementation details, with  
> other issues and weaknesses to address.
>
>
> ----- Original Message -----
> From: tls-bounces at ietf.org <tls-bounces at ietf.org>
> To: carlyoung at keycomm.co.uk <carlyoung at keycomm.co.uk>
> Cc: tls at ietf.org <tls at ietf.org>
> Sent: Fri Apr 24 05:38:52 2009
> Subject: Re: [TLS] Comparative cipher suite strengths
>
> carlyoung at keycomm.co.uk writes:
>
> > All I want to do is to advise them, and other customers, that  
> > migrating from
> > 3DES_EDE to AES-256 - without changing their certificates from 1024  
> > bits -
> > has provided no appreciable gain in security strength as the RSA  
> > keys are the
> > weakest link in the chain.
>
> It'd be interesting to hear what they say (off-list, if it's non- 
> public).  I
> have the feeling it'll be, as someone else in this thread put it,  
> "<crickets>"
> :-).  For example I've got users using 512-bit public keys with AES  
> because
> anything more heavyweight in the embedded device they produce makes  
> the
> handshake unworkable.  Their risk assessment was that given the  
> difference
> between no security (caused by connect attempts timing out, so  
> people connect
> unsecured) and good-enough security, they'll opt for the good-enough  
> security.
>
> (Incidentally, I'm always interested in real-world experiences that  
> people
> have had in terms of users making tradeoffs like this, if anyone's  
> got any
> interesting/illuminating stories I'd love to hear them).
>
> Peter.
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls