[Cryptography] What TLS ciphersuites are still OK?

james hughes hughejp at mac.com
Mon Sep 9 22:59:09 EDT 2013


On Sep 9, 2013, at 2:49 PM, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:

> On 09/09/2013 05:29 PM, Ben Laurie wrote:
>> Perry asked me to summarise the status of TLS a while back ... luckily I
>> don't have to because someone else has:
>> 
>> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>> 
>> In short, I agree with that draft. And the brief summary is: there's only
>> one ciphersuite left that's good, and unfortunately its only available in
>> TLS 1.2:
>> 
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> 
> I don't agree the draft says that at all. It recommends using
> the above ciphersuite. (Which seems like a good recommendation
> to me.) It does not say anything much, good or bad, about any
> other ciphersuite.
> 
> Claiming that all the rest are no good also seems overblown, if
> that's what you meant.


I retract my previous "+1" for this ciphersuite. This is hard coded 1024 DHE and 1024bit RSA. 

From 
	http://en.wikipedia.org/wiki/Key_size
>> As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys

80 bit strength. Hard coded key sizes. Nice. 

AES 128 with a key exchange of 80 bits. What's a factor of 2^48 among friends…. 

additionally, as predicted in 2003… 
>> 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that
>> 2048-bit keys are sufficient until 2030.
>> 3072 bits should be used if security is required beyond 2030

They were off by 3 years.

What now? 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130909/5f2f9da9/attachment.html>


More information about the cryptography mailing list