Date: Mon, 16 Nov 2015 03:25:34 +0300 From: gremlin@...mlin.ru To: owl-dev@...ts.openwall.com Subject: Re: OpenSSH On 2015-11-14 15:25:43 +0100, Pavel Kankovsky wrote: >> 2. Ciphers are >> 3. MACs are > What about KexAlgorithms? And DH groups? For now, it has diffie-hellman-group-exchange-sha256 and curve25519-sha256@...ssh.org for server and, additionally, diffie-hellman-group-exchange-sha1 and diffie-hellman-group14-sha1 for client. Possibly, curve25519-sha256@...ssh.org should also be moved to client-only algorithms. >> 4. ECDSA support is fully disabled by CFLAGS="-UOPENSSL_HAS_ECC". > Is this intentional? Yes: ECDH and ECDSA based on NIST curves must not be trusted at all. >> 5. RSA keys have minimal size of 4096 bits and default size >> of 8192. > It it notoriously difficult to compare the relative strength of > symmetric and asymmetric crypto. However, it's relatively simple to notice that every additional bit in a key would require at least two transistors (physical areas on the chip) just to store it and much more to process. That means the cryptoprocessors already used for brute-force attacks would be much more power-consuming, and building yet another power station to get more gigawatts would be even more expensive. Besides that, when all this power is consumed, it becomes heat, so all that attacking hardware need cooling, and that's a real problem. > (Personally, I suspect that the strength of RSA is underestimated > by the abovementioned formula because it does not take into > account that you need an insanely overpowered *tightly coupled* > system to solve the 2nd GNFS step.) Yes. And again, this system has to be powered and cooled. >> I think of disabling ED25519 [... as it ...] looks intentionally >> weakened by reducing the key size beyond good sence, > As far as I know Ed25519 is able to provide approximately 128 > BoS. You may question whether such strength is sufficient in the > really long term but I would hesitate to call it "beyond good > sense". And its inherent resistance to side-channel channel > attacks can make Ed25519 a better choice than other algoritms > with longer keys. IIRC, the DSA used 1024-bit keys. Switching to the use of elliptic curves could be a good reason to keep the key size the same, but not to reduce it. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.