[Ach] General agreement on cipher and hash strength and choice

robin.balean at a-trust.at robin.balean at a-trust.at
Mon Nov 25 16:11:46 CET 2013

As far as I know the hash algorithm in a TLS cipher suite is only used as a PRF and not as a hash.
In this context even MD5 is still considered secure.  SHA-1 and SHA-256 are certainly secure for this purpose and there is currently no need to go beyond this.

Of course in situations where it is used as a hash (such as in digital certificates) then anything SHA-256 should be the minimum used.  

It is important to realise that the algorithms one choses be consistent.  An attacker will concentrate on the weakest one.  If you make one cipher in the suite stronger than the others you are just wasting computing time.  For example the following are rough equivalents between the symmetric and RSA asymmetric key sizes and the SHA hash functions:
80 bit symmetric   :  1024 bit  RSA  :  SHA-1  
128 bit symmetric   :  3072 bit  RSA  :  SHA-256
256 bit symmetric   :  15360 bit  RSA  :  SHA-512

>From this I hope you can see that it is somewhat absurd to recommend AES256 for the symmetric cipher or SHA-512 as the hash as nobody in their right mind would ever consider using RSA 15360.

I'd recommend reading this very good paper from A. Lenstra on key lengths: http://infoscience.epfl.ch/record/164539/files/NPDF-32.pdf

Robin Balean

-----Ursprüngliche Nachricht-----
Von: ach-bounces at lists.cert.at [mailto:ach-bounces at lists.cert.at] Im Auftrag von Philipp Gühring
Gesendet: Montag, 25. November 2013 14:20
An: Daniel Kovacic; ach at lists.cert.at
Betreff: Re: [Ach] General agreement on cipher and hash strength and choice


>From my point of view, there is no clear preferance regarding AES128 vs.
AES256 from the security point of view, it depends on your subjective attacker.
Therefore, I don´t mind that we aren´t consistent in a preferrance at the moment regarding AES128 vs. AES256.

Regarding SHA256 vs. SHA512, I think SHA512 is likely more secure than SHA256, but both are acceptable at the moment.
Regarding RSA, my current suggestion is to use 4096 for long-term keys like root-certificates, and to use 2048 bits for normal applications.

Best regards,
Philipp Gühring

-----Original Message-----
From: <Daniel.Kovacic at a-trust.at>
To: <ach at lists.cert.at>
Date: Sun, 24 Nov 2013 17:49:54 +0000
Subject: [Ach] General agreement on cipher and hash strength and choice

> Hi,
> I am currently revicing the gpg (cipher suite) section and I noticed 
> that we are very inconsistent in ordering ciphers and hashes in our 
> configs. Especially AES{128|256}, SHA{256|512} etc attracted me. To be 
> precise we have no consensus whether we prefer aes128 over aes256,
> sha256 over sha512 and so on. Same with RSA key lenght. I personally 
> dont like that and I think we should get to an agreement here. I 
> prefer recommending the most compatible, wide spread, fastest etc 
> algorithm we agree on being absolutely recommendable at the point of 
> writing. So I would always list aes128 before aes256 and sha256 before 
> sha512 per default. I also think that just preferring the bigger 
> numbers for the sake of being bigger looks a bit dubious and one who 
> reads rsa 4096 might ask 'why?'
> best regards
> Daniel
> PS.: Sorry, if this message arrives multiple times. something here in 
> our outlook is tricking me :-/ 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

Ach mailing list
Ach at lists.cert.at

More information about the Ach mailing list