[Operators] Please enable Forward Secrecy for your servers!

Dave Cridland dave at cridland.net
Tue Jul 21 08:38:22 UTC 2015

On 21 July 2015 at 08:44, David Banes <david at banes.org> wrote:

> On 20 Jul 2015, at 23:19, Jonathan Schleifer <
> js-xmpp-operators at webkeks.org> wrote:
> > Am 21.07.2015 um 00:10 schrieb David Banes <david at banes.org>:
> >
> >> On 20 Jul 2015, at 23:07, Peter Kieser <peter at kieser.ca> wrote:
> >>
> >>> On 2015-07-10 2:47 AM, Mathias Ertl wrote:
> >>>> * Have a valid 4096 bit certificate with at least a sha256 signature.
> >>>
> >>> 4096 bit seems a bit excessive. NIST is still recommending 2048 bit
> from 2011 to 2030.
> >>>
> >>> -Peter
> >>
> >> I laughed....
> >
> > He's actually right - the difference between 2048 and 4096 isn't that
> big. 2048 equals a symmetric cipher of ~ 112 bits, while 4096 equals a
> symmetric cipher of ~ 128 bits. If you think about it, it only makes sense:
> The bigger the number gets, the fewer primes there are…
> >
> > So, 4096 bit RSA just gives you an additional 16 bits for your AES,
> while doubling the number of RSA bits more than doubles the computational
> overhead…
> >
> > That's also the reason why there's no point in doing 8192 bit RSA: It
> wound be insanely slow for just giving you a few extra bits. IIRC, to match
> AES-256, you would need RSA-32768. Have fun calculating that! If you want
> to match AES-256, you therefore need to go to 512-bit ECC (for ECC, you
> need roughly double the bits than the symmetric cipher).
> >
> > --
> > Jonathan
> >
> If you're serious about stopping someone with greater computational power
> than you getting at your data then you should take every bit you can. But I
> agree, most people won't bother because you'd need the computing power
> available to NIST to compute that.
No, no. If you're serious about this, you need to understand the crypto.

As Jonathan says, 4096 isn't even close to double the strength of 2048
bits, and it's far more likely that an algorithmic weakness will be found
prior to 2048-bit asymmetric encryption becoming susceptible to brute force.

So you're really better off considering switching to an elliptic curve
cipher (and you can run both in parallel with some effort), if you want to
consider any changes at all. (I'll leave it to the reader as to why).

By far the more likely attack vector at this stage is an attack on either
the client endpoints or the server (in roughly that order of likelihood).

For network attacks against crypto, I would suggest that if you're looking
for something susceptible to brute force, then your client authentication
is looking tempting, and I'll bet it's equivalent to around 64 bits if
we're lucky. If you want to make sweeping gestures to "fix" security, then
doing client authentication using X.509 strong auth (with your own CA if
you like) is a much more effective solution.

In any case, any suggestion that switching your cipher suite will protect
you in any meaningful way from the resources of a nation-state if you're
specifically targetted is genuinely worth laughing at.

> David.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20150721/79b23c7e/attachment.html>

More information about the Operators mailing list