[Ach] Ciphers

[Kurt Roeckx]

Hi,

I found your draft document yesterday.  I've participated in
several other discussion about the same topic, so I would like
to add some comments.

As you note in the section in 3.2.3 about configuration B, it's
not compatible with things that use schannel (like IE) from
windows XP.  You need to enable either 3DES or RC4 for those
users.  We all hope that they stop using it soon.  But since this
is supposed to be a practicle document for that people can just
use and it should just work, maybe we should also have a
configuration C for those people that care about those users.

3DES should have 156 bit of security but is known to only have
112 bit.  As I understand it, 112 bit also what is currently
recommended as the minimum size, matching the 2048 bit RSA key.
3DES is slow, but there is no problems with it assuming
BEAST isn't a problem.  There are patches for XP that fix it.

On the other hand you could use RC4, which has known weakness
but is much faster and doesn't have the BEAST.

So people will have to choise between one of those, and depending
on who you ask you get a different answer.  Some people are afraid
of the inpack of 3DES on performance.  But I hope the number of
users actually needing to use that should be low enough that it
shouldn't have a big impact.


No version of internet explorer has an (EC)DHE cipher on the top
of it's list of prefered ciphers, but about all other clients do
have ECDHE as first in their prefered list.  If want all clients
that support PFS to do PFS you might need force the server to
their order of preference instead of the clients.


It says the SHA-1 is broken.  But that's only for collision
attacks.  It's always used as part of an HMAC and we care about
the preimage resistance there and SHA-1 is fine there.  MD5 isn't
even problematic in an HMAC, but there is no reason to keep using
it.  So SHA-1 is safe in the cipher string, but we want to avoid
it in the certificate.  I think the certificate part is being done
by the browsers forcing the CAs to do that, but it of course
wouldn't hurt to check what the used for your certificate.

It's unclear on what you recommend for RSA key sizes, other than
smaller than 2048 should not be used.  For OpenVPN you say to use
4096 but in the text say 2048.

You seem to order AES256 above AES128 all the time.  I see no good
reason for doing that.  I think we should recommend AES128 intead.
That would also mean that the 256 bit EC curve should be good
enough and there is no need for the 384 bit one.

You also seem to put DHE above ECDHE all the time.  But DHE is
slow and I think people would prefer to use ECDHE over DHE.
Apache 2.2 currently only supports 1024 bit DH and there are
also clients that have problems with bigger sizes than 1024.  I
think we should recommend ECDHE over DHE.

I know some people don't trust the nistp curves, but at the same
time recommend to use ECC.  As alternative there is brainpool, but
unfortuantly there is no released software available yet that
supports it as far as I know.


Kurt