[Ach] 8.5.1 key exchange -- feedback, please!

Aaron Zauner azet at azet.org
Thu Nov 21 06:52:40 CET 2013 

On 20 Nov 2013, at 22:09, L. Aaron Kaplan <kaplan at cert.at> wrote:

> 
> On Nov 20, 2013, at 6:36 PM, Aaron Zauner <azet at azet.org> wrote:
> 
>> 
>> On 20 Nov 2013, at 17:56, christian mock <cm at coretec.at> wrote:
>> 
>>> On Wed, Nov 20, 2013 at 03:23:16PM +0100, Adi Kriegisch wrote:
>>>> Hi!
>>>> 
>>>> I just started with the section about choosing your own cipher suite. The
>>>> idea is to first explain key exchange, authentication, encryption and
>>>> message authentication a little and give hints about good/bad algorithms.
>>>> 
>>>> Then move on to discuss how to select -- based on that knowledge -- cipher
>>>> suites in openssl syntax and what limitations a user/sysadmin may have to
>>>> deal with.
>>>> 
>>>> How do you like this structure? ...the content of section 8.5.1? ...and the
>>>> layout of that section?
>>> 
>>> regarding the
>>> 
>>> TODO: Team: do we need references for all cipher suites considered weak?
>> 
>> I think we should include such references!
>> 
> 
> Please take a look at section 8.3 "Known insecure and weak cipher suites".
> This is quite important. Before that section we described our recommendations.
> After that section, we explain to to chose your own cipher string.

I currently can’t find time to do that all by myself - I’ll have more time next week when I’m back on evenings and during the weekend.

BTW: I added ‘sslyze’ to the tools section. so please pull.

> 
> So, yeah, the reader should know what to avoid.
> 
> At the last meeting Philipp wanted to write that section.
> Will you get around to doing that?
> Should we just start?
> 
>>> 
>>> What about a single reference indicating that key lengths <112 (or
>>> whatever) are considered evil?
>>> 
>>> The "key exchange" section looks complete, but it needs much more
>>> clarity, especially since this is very complicated. And what does the
>>> colorful table show? ;-)
>>> 
>>> cm.
>>> 
>>> 
>>> -- 
>>> Christian Mock                          Wiedner Hauptstr. 15
>>> Senior Security Engineer                1040 Wien
>>> CoreTEC IT Security Solutions GmbH      +43-1-5037273
>>> FN 214709 z
>>> 
>>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>>> CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
>>> 
>>> http://heise.de/-1260559
>>> 
>>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>>> _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at
>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>> 
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 
> --- 
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131121/755868ec/attachment.sig>

More information about the Ach mailing list