Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Nov 2015 03:25:34 +0300
From: gremlin@...mlin.ru
To: owl-dev@...ts.openwall.com
Subject: Re: OpenSSH

On 2015-11-14 15:25:43 +0100, Pavel Kankovsky wrote:

 >> 2. Ciphers are
 >> 3. MACs are
 > What about KexAlgorithms? And DH groups?

For now, it has diffie-hellman-group-exchange-sha256 and
curve25519-sha256@...ssh.org for server and, additionally,
diffie-hellman-group-exchange-sha1 and diffie-hellman-group14-sha1
for client.

Possibly, curve25519-sha256@...ssh.org should also be moved to
client-only algorithms.

 >> 4. ECDSA support is fully disabled by CFLAGS="-UOPENSSL_HAS_ECC".
 > Is this intentional?

Yes: ECDH and ECDSA based on NIST curves must not be trusted at all.

 >> 5. RSA keys have minimal size of 4096 bits and default size
 >> of 8192.
 > It it notoriously difficult to compare the relative strength of
 > symmetric and asymmetric crypto.

However, it's relatively simple to notice that every additional bit
in a key would require at least two transistors (physical areas on
the chip) just to store it and much more to process. That means the
cryptoprocessors already used for brute-force attacks would be much
more power-consuming, and building yet another power station to get
more gigawatts would be even more expensive.

Besides that, when all this power is consumed, it becomes heat, so
all that attacking hardware need cooling, and that's a real problem.

 > (Personally, I suspect that the strength of RSA is underestimated
 > by the abovementioned formula because it does not take into
 > account that you need an insanely overpowered *tightly coupled*
 > system to solve the 2nd GNFS step.)

Yes. And again, this system has to be powered and cooled.

 >> I think of disabling ED25519 [... as it ...] looks intentionally
 >> weakened by reducing the key size beyond good sence,
 > As far as I know Ed25519 is able to provide approximately 128
 > BoS. You may question whether such strength is sufficient in the
 > really long term but I would hesitate to call it "beyond good
 > sense". And its inherent resistance to side-channel channel
 > attacks can make Ed25519 a better choice than other algoritms
 > with longer keys.

IIRC, the DSA used 1024-bit keys. Switching to the use of elliptic
curves could be a good reason to keep the key size the same, but
not to reduce it.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.