On 21 July 2015 at 08:44, David Banes <da...@banes.org> wrote: > On 20 Jul 2015, at 23:19, Jonathan Schleifer < > js-xmpp-operat...@webkeks.org> wrote: > > > Am 21.07.2015 um 00:10 schrieb David Banes <da...@banes.org>: > > > >> On 20 Jul 2015, at 23:07, Peter Kieser <pe...@kieser.ca> wrote: > >> > >>> On 2015-07-10 2:47 AM, Mathias Ertl wrote: > >>>> * Have a valid 4096 bit certificate with at least a sha256 signature. > >>> > >>> 4096 bit seems a bit excessive. NIST is still recommending 2048 bit > from 2011 to 2030. > >>> > >>> -Peter > >> > >> I laughed.... > > > > He's actually right - the difference between 2048 and 4096 isn't that > big. 2048 equals a symmetric cipher of ~ 112 bits, while 4096 equals a > symmetric cipher of ~ 128 bits. If you think about it, it only makes sense: > The bigger the number gets, the fewer primes there are… > > > > So, 4096 bit RSA just gives you an additional 16 bits for your AES, > while doubling the number of RSA bits more than doubles the computational > overhead… > > > > That's also the reason why there's no point in doing 8192 bit RSA: It > wound be insanely slow for just giving you a few extra bits. IIRC, to match > AES-256, you would need RSA-32768. Have fun calculating that! If you want > to match AES-256, you therefore need to go to 512-bit ECC (for ECC, you > need roughly double the bits than the symmetric cipher). > > > > -- > > Jonathan > > > > If you're serious about stopping someone with greater computational power > than you getting at your data then you should take every bit you can. But I > agree, most people won't bother because you'd need the computing power > available to NIST to compute that. > > No, no. If you're serious about this, you need to understand the crypto.
As Jonathan says, 4096 isn't even close to double the strength of 2048 bits, and it's far more likely that an algorithmic weakness will be found prior to 2048-bit asymmetric encryption becoming susceptible to brute force. So you're really better off considering switching to an elliptic curve cipher (and you can run both in parallel with some effort), if you want to consider any changes at all. (I'll leave it to the reader as to why). By far the more likely attack vector at this stage is an attack on either the client endpoints or the server (in roughly that order of likelihood). For network attacks against crypto, I would suggest that if you're looking for something susceptible to brute force, then your client authentication is looking tempting, and I'll bet it's equivalent to around 64 bits if we're lucky. If you want to make sweeping gestures to "fix" security, then doing client authentication using X.509 strong auth (with your own CA if you like) is a much more effective solution. In any case, any suggestion that switching your cipher suite will protect you in any meaningful way from the resources of a nation-state if you're specifically targetted is genuinely worth laughing at. > David. > >
