[Cryptography] ratcheting DH strengths over time

Jon Callas jon at callas.org
Fri Nov 20 14:12:33 EST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I don't really mean to point this rant at the person who wrote the paragraph below, it's really aimed all over the place, and even barely at this discussion. So I filed the name off.


> The proposal to drop support for SHA1 in signatures 6 months sooner is this kind of decision; without there being an immediate attack on practical SHA1 signatures, the perception of risk has altered.

Huh?

Six months sooner than what?

In 2004, when Wang released her attacks, there was a big to-do because NIST had said that SHA-1 should be retired at the end of 2010. The worry was that SHA-1 would get really broken (like MD5), SHA2 was shaky, and we'd have to do a lot of scrambling before 2010.

You see, 2010 is the NIST recommendation to retire *all* 80-bit crypto. That means 160-bit hashes, 1024-bit RSA/DSA/DH, and other things like Skipjack.

As it turned out, SHA-1 held on 'til 2010, and lots of the people who have to follow NIST guidelines whined that six years wasn't long enough. Well, NIST held their nose and said, "Okay, kids, you can still use 80-bit crypto until the end of 2013, but we mean it really." That went by like a Douglas Adams quote: "I love deadlines. I love the whooshing sound they make as they pass by."

Here it is, the end of 2015 and we're still talking about this stuff. There's an real-ish attack on SHA-1 now (free-start collisions; as real as the Dobberton attack was on MD5 back in '97) and that's what's going to derail another proposed extension 'til 2017. I hope. 

WHAT THE HELL IS WRONG WITH YOU PEOPLE? NIST ***TOLD*** ***YOU*** TO GET OFF THIS STUFF A DOZEN YEARS AGO! THIS WAS BACK IN THE POST-9/11 DAYS WHEN NSA WAS PLAYING THEM FOR FOOLS!

Thank you, I feel much better now. Come on, Logjam and all that looks pretty clear with 20/20 hindsight, but with 20/20 hindsight, I can also see them snickering because they told us and we didn't listen.

It matters far less whether you use Integer DH or RSA or ECC as long as you use one that's big enough. 2K or 3K is fine, but obviously 3K is better. Dan and Tanja did a really shiny EC curve for me, 41417 that not only has Spinal Tap level of security (over 200 bits), but there are NEON implementations that make it faster than P-160.

What does it actually take to stop talking and do something? Come on, if we can't move off of 80 bit crypto for a dozen years after a warning from NIST we're going to do a ratchet? Really? I mean REALLY?

	Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii

wsBVAwUBVk9wnvD9H+HfsTZWAQhCbgf/crH18echSzbpHpWCMGn1/4+YBj8BSDmL
zY9Ka9nnNCpPGkSGSjMJut84mWqlc7p8dJk8irWB8dR1Zuv79df33Wt7A0B1x0yr
WOcmbymi+w5gFrE7e4a3TLhqW/6Q4NDlm+JC4oH0lJN8NPs6uewOGq05jdkX4NJv
dcxFI7S/LwxaV8TfD0gInHIkVltT3abM4MGWXnlDIeevLp/Rm5KgUmUYfsB8xrXA
XDEGXgrw4338eGzfRmlybG3NPeS8OfZBI6zBVHYC0aO/ckrY0nQ2aSSazdr5JL8L
XDVimQ7ou+FhYXr2fZiwnykekhyHW1nxoaT1AslTDRfV1tOr5uBmfg==
=ASK8
-----END PGP SIGNATURE-----

More information about the cryptography mailing list