On Sep 9, 2013, at 2:49 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> On 09/09/2013 05:29 PM, Ben Laurie wrote: >> Perry asked me to summarise the status of TLS a while back ... luckily I >> don't have to because someone else has: >> >> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 >> >> In short, I agree with that draft. And the brief summary is: there's only >> one ciphersuite left that's good, and unfortunately its only available in >> TLS 1.2: >> >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > I don't agree the draft says that at all. It recommends using > the above ciphersuite. (Which seems like a good recommendation > to me.) It does not say anything much, good or bad, about any > other ciphersuite. > > Claiming that all the rest are no good also seems overblown, if > that's what you meant. I retract my previous "+1" for this ciphersuite. This is hard coded 1024 DHE and 1024bit RSA. From http://en.wikipedia.org/wiki/Key_size >> As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in >> strength to 80-bit symmetric keys 80 bit strength. Hard coded key sizes. Nice. AES 128 with a key exchange of 80 bits. What's a factor of 2^48 among friends…. additionally, as predicted in 2003… >> 1024-bit keys are likely to become crackable some time between 2006 and 2010 >> and that >> 2048-bit keys are sufficient until 2030. >> 3072 bits should be used if security is required beyond 2030 They were off by 3 years. What now?
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography