On 24/12/2013 3:19 AM, Viktor Dukhovni wrote:
On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:
We obviously don't know which is stronger against hypothetical
unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel
free to roll the dice. Against publically known attacks P-256 is
both more secure and more computationally efficient than 2048-bit
EDH.
I think 384-bit ECDSA keys might be my choice then?
I don't have any interoperability information for NIST P-384 (i.e.
secp384r1). Like its P-256 cousin it is part of Suite B, and thus
generally also supported by software that supports P-256, but it
likely not as widely used as P-256. If there are any practical
unpublished attacks on P-256, one might guess they would be due to
the curve being "cooked" to be vulnerable. In that case, it would
seem prudent to assume that P-384 is also suspect. If you're
sufficiently paranoid, there is nothing you can trust.
I don't see any compelling reason to prefer P-384 over P-256, but
also know of no reasons to avoid it. P-384 has higher CPU cost,
but this is generally tolerable in MTAs, since unlike web servers
the SMTP connection rate is generally well below CPU performance
limits.
Thanks, Viktor. I will conduct some research and weigh my options.
Whatever choice, a significant improvement on my current cryptographic
protocol will be made.
--
syn.bsdbox.co
