On Nov 3, 2014, at 8:05 PM, Peter Saint-Andre - &yet <[email protected]> wrote: > > On 10/26/14, 1:26 PM, Paul Hoffman wrote: > >> *** Huge security issue *** >> >> 5.4: >> Rationale: because Diffie-Hellman keys of 1024 bits are estimated to >> be roughly equivalent to 80-bit symmetric keys, it is better to use >> longer keys for the "DHE" family of cipher suites. Key lengths of at >> least 2048 bits are estimated to be roughly equivalent to 112-bit >> symmetric keys and might be sufficient for at least the next >> 10 years. See Section 5.5 for additional information on the use of >> modular Diffie-Hellman in TLS. >> >> Earlier, the document points to RFC 3766 (thank you), and that document has >> different estimates than what the draft has here. From RFC 3766: >> ==================== >> +-------------+-----------+--------------+--------------+ >> | System | | | | >> | requirement | Symmetric | RSA or DH | DSA subgroup | >> | for attack | key size | modulus size | size | >> | resistance | (bits) | (bits) | (bits) | >> | (bits) | | | | >> +-------------+-----------+--------------+--------------+ >> | 70 | 70 | 947 | 129 | >> | 80 | 80 | 1228 | 148 | >> | 90 | 90 | 1553 | 167 | >> | 100 | 100 | 1926 | 186 | >> | 150 | 150 | 4575 | 284 | >> | 200 | 200 | 8719 | 383 | >> | 250 | 250 | 14596 | 482 | >> +-------------+-----------+--------------+--------------+ >> >> 5.1. TWIRL Correction >> >> If the TWIRL machine becomes a reality, and if there are advances in >> parallelism for row reduction in factoring, then conservative >> estimates would subtract about 11 bits from the system security >> column of the table. Thus, in order to get 89 bits of security, one >> would need an RSA modulus of about 1900 bits. >> ==================== >> >> That is, with a TWIRL correction, 1024-bit keys yield about 65 bits of >> equivalent strength, not the 80 listed in the draft. A 2048-bit key would >> give about 92 bits of strength. >> >> Of course, the draft can refer to other documents that have happier >> estimates of strength for 1024-bit and 2048-bit keys, but that does not help >> the intended audience for this document. > > Paul, would the following text be more accurate? > > Rationale: For various reasons, in practice DH keys are typically > generated in lengths that are powers of two (e.g., 2^10 = 1024 bits, > 2^11 = 2048 bits, 2^12 = 4096 bits). Because a DH key of 1228 bits > would be roughly equivalent to only an 80-bit symmetric key > [RFC3766], it is better to use keys longer than that for the "DHE" > family of cipher suites. A DH key of 1926 bits would be roughly > equivalent to a 100-bit symmetric key [RFC3766] and a DH key of 2048 > bits might be sufficient for at least the next 10 years. See > Section 5.5 for additional information on the use of modular Diffie- > Hellman in TLS. > > As noted in [RFC3766], correcting for the emergence of a TWIRL > machine would imply that 1024-bit DH keys yield about 65 bits of > equivalent strength and that a 2048-bit DH key would yield about 92 > bits of equivalent strength. > > Servers SHOULD authenticate using at least 2048-bit certificates.
That's OK. I wish we could use stronger words about TWIRL (since I would be flabbergasted if one hadn't been created, and surprised if it hadn't been improved on), but I think that's all we can say while being evidence-based. --Paul Hoffman _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
