Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.LRH.2.02.1511141400490.7403@argo.troja.mff.cuni.cz>
Date: Sat, 14 Nov 2015 15:25:43 +0100 (CET)
From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
To: owl-dev@...ts.openwall.com
Subject: Re: OpenSSH

On Fri, 13 Nov 2015, gremlin@...mlin.ru wrote:

> 2. Ciphers are
> 3. MACs are

What about KexAlgorithms? And DH groups?

> 4. ECDSA support is fully disabled by CFLAGS="-UOPENSSL_HAS_ECC".

Is this intentional?

> 5. RSA keys have minimal size of 4096 bits and default size of 8192.

It it notoriously difficult to compare the relative strength of symmetric 
and asymmetric crypto.

Nevertheless, according to an estimate based on the GNFS complexity (SP 
800-57 seems to use the same formula) RSA with a 3072-, 4096- or 8192-bit 
modulus is likely to provide 130+, 150+ or 200+ "bits of security" (let's 
call it "BoS" for brevity), respectively. All of those values seem to be 
quite adequate if your desired level is 128+ BoS (i.e. comparable to the 
cryptographical strength of AES-128 and SHA-256).

(Personally, I suspect that the strength of RSA is underestimated by the 
abovementioned formula because it does not take into account that you 
need an insanely overpowered *tightly coupled* system to solve the 2nd 
GNFS step.)

> I think of disabling ED25519 [...]: first looks intentionally weakened 
> by reducing the key size beyond good sence,

As far as I know Ed25519 is able to provide approximately 128 BoS. You may 
question whether such strength is sufficient in the really long term but I 
would hesitate to call it "beyond good sense". And its inherent resistance 
to side-channel channel attacks can make Ed25519 a better choice than 
other algoritms with longer keys.


-- 
Pavel Kankovsky aka Peak                      "Que sais-je?"

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.