----- Original Message -----
From: "Pavel Kankovsky"
<peak(a)argo.troja.mff.cuni.cz>
To: security(a)lists.fedoraproject.org
Sent: Thursday, 3 April, 2014 1:13:44 AM
Subject: Re: Crypto guidelines for Fedora
On Tue, 1 Apr 2014, Hubert Kario wrote:
> Also, cryptosystems that don't use primitives of comparable strength
> are rather frowned upon (if only because security assessment of such
> systems is more complex).
If we took that seriously, most TLS servers using 128+-bit symmetric keys
should be frowned upon because their certification chains include RSA keys
shorter than 3072 bits.
Yes, they don't provide 128 bit secrecy in case where they don't use PFS
cipher suite with proper parameters, and provide less than 128 bit
authentication in case where they do.
It is acceptable because we don't have 80 bit ciphers and 112 bit ciphers
(3DES) are slower than everything else on every platform. So we use 128bit+
ciphers.
That doesn't change the fact that most of web is running with effective
security of 80 bit and just now some of it is migrating to 112 bit security.
(This situation is, to be honest, ridiculous. Everything is
completely
upside-down.
Yes, yes it is.
When you got a hierarchy of cryptographic keys, a key at its
top should better be the strongest of all of them because if it were
cracked the whole hierarchy would be compromised.)
The problem is that we have to deal with a lot of hysterical^W historical
reasons. Clients that don't support SHA-2, clients that can work with
just 1024bit RSA, clients that didn't update their CA trust store
for the past 10 years, etc.
There's no way to fix it so we have to workaround it.
--
Regards,
Hubert Kario
BaseOS QE Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic