[openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2

Wed Feb 11 19:06:52 UTC 2015

On 11/02/2015 16:46, Salz, Rich wrote:
>> I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it
>> explicilty in DEFAULT) is a good one that maintains important backward
>> compatibility while providing the desired removal of RC4 by default. There's
>> no advantage to moving RC4 to LOW.
> Sure there is:  it's an accurate description of the quality of protection provided by the algorithm. :)
Is the security level (i.e. log2 of the cost of the best
known direct attack) 40 bits (historical EXPORT label), 56
bits (historical LOW label), 112 to 127 bits (historical
MEDIUM) level, or somewhere in between?

This is the real question that should guide its
classification, not if it is "lower than what is currently
recommended".

Given the currenly available ciphers, it may make sense to
add new groups: HIGH192, HIGH256 and larger ones still. As
time progresses, the default can then move from HIGH to
HIGH192, to HIGH256 as the state of the art changes,
without redefining semantics.

Furthermore, the various attacks on SSL3/TLS1.0 padding and
IV logic creates an ongoing need to have a widely supported,
TLS1.0 compatible stream-or-otherwise-unpadded cipher choice
as an emergency fallback as other protections are being
rolled out by all kinds of vendors.

For example RC4 is immune to POODLE as well as a previous
widelypublicized attack, simply because it uses neither the
flawed SSL3padding nor the sometimes problematic TLS1.0 IV
selection.  No other cipher provides this protection when
talking to older peers that cannot or will not upgrade to
the latest-and-greatest TLS standards.

> It's also compatible with our documentation, which as was pointed out, always uses the word "currently" to describe the magic keywords.
>
> And it's also planned for the next version which won't be available until near the end of the year.
>
> And it's also compliant with the expected publication of the IETF RFC's that talk about TLS configuration and attacks.
>
> Postfix can work lay the groundwork to be future-compliant by changing its default configuration to be HIGH:MEDIUM:RC4.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150211/42cc62a3/attachment.html>