Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Nov 2015 15:25:43 +0100 (CET)
From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
To: owl-dev@...ts.openwall.com
Subject: Re: OpenSSH

On Fri, 13 Nov 2015, gremlin@...mlin.ru wrote:

> 2. Ciphers are
> 3. MACs are

What about KexAlgorithms? And DH groups?

> 4. ECDSA support is fully disabled by CFLAGS="-UOPENSSL_HAS_ECC".

Is this intentional?

> 5. RSA keys have minimal size of 4096 bits and default size of 8192.

It it notoriously difficult to compare the relative strength of symmetric 
and asymmetric crypto.

Nevertheless, according to an estimate based on the GNFS complexity (SP 
800-57 seems to use the same formula) RSA with a 3072-, 4096- or 8192-bit 
modulus is likely to provide 130+, 150+ or 200+ "bits of security" (let's 
call it "BoS" for brevity), respectively. All of those values seem to be 
quite adequate if your desired level is 128+ BoS (i.e. comparable to the 
cryptographical strength of AES-128 and SHA-256).

(Personally, I suspect that the strength of RSA is underestimated by the 
abovementioned formula because it does not take into account that you 
need an insanely overpowered *tightly coupled* system to solve the 2nd 
GNFS step.)

> I think of disabling ED25519 [...]: first looks intentionally weakened 
> by reducing the key size beyond good sence,

As far as I know Ed25519 is able to provide approximately 128 BoS. You may 
question whether such strength is sufficient in the really long term but I 
would hesitate to call it "beyond good sense". And its inherent resistance 
to side-channel channel attacks can make Ed25519 a better choice than 
other algoritms with longer keys.


-- 
Pavel Kankovsky aka Peak                      "Que sais-je?"

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.