Date: Sat, 14 Nov 2015 15:25:43 +0100 (CET) From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz> To: owl-dev@...ts.openwall.com Subject: Re: OpenSSH On Fri, 13 Nov 2015, gremlin@...mlin.ru wrote: > 2. Ciphers are > 3. MACs are What about KexAlgorithms? And DH groups? > 4. ECDSA support is fully disabled by CFLAGS="-UOPENSSL_HAS_ECC". Is this intentional? > 5. RSA keys have minimal size of 4096 bits and default size of 8192. It it notoriously difficult to compare the relative strength of symmetric and asymmetric crypto. Nevertheless, according to an estimate based on the GNFS complexity (SP 800-57 seems to use the same formula) RSA with a 3072-, 4096- or 8192-bit modulus is likely to provide 130+, 150+ or 200+ "bits of security" (let's call it "BoS" for brevity), respectively. All of those values seem to be quite adequate if your desired level is 128+ BoS (i.e. comparable to the cryptographical strength of AES-128 and SHA-256). (Personally, I suspect that the strength of RSA is underestimated by the abovementioned formula because it does not take into account that you need an insanely overpowered *tightly coupled* system to solve the 2nd GNFS step.) > I think of disabling ED25519 [...]: first looks intentionally weakened > by reducing the key size beyond good sence, As far as I know Ed25519 is able to provide approximately 128 BoS. You may question whether such strength is sufficient in the really long term but I would hesitate to call it "beyond good sense". And its inherent resistance to side-channel channel attacks can make Ed25519 a better choice than other algoritms with longer keys. -- Pavel Kankovsky aka Peak "Que sais-je?"
Powered by blists - more mailing lists