ctz / ctz.github.com Goto Github PK

original reddit post:

When given a free choice, selection of AES256 over AES128 is a good shibboleth for identifying people who haven't really understood the problem, and merely concluded that "bigger is better" (which is tempting; don't get me wrong). AES192 is even better; there's literally no reason to choose it. It has all the negative points of AES256 and none of the positives of AES128.

The problem in question being: what is a sensible cryptographic security strength I can achieve across a whole system? Aiming for a 256-bit security level for HTTPS will lead to terrible disappointment:

• Sure, you can have a leaf ECDSA key on NISTP521, but the next level of certification up depends (simultaneously) on all the public CAs. That's invariably RSA1024 (~73 bit security) and SHA1 (~63 bit security). There are some tricks (HPKP, etc.) to fix these weak points after the fact, but it's hard to reason about how they affect crypto security with different attacker models.
• Now you stare carefully at the design of TLS1.2, and realise: if you can collide SHA1 (which is hardcoded in the protocol design as the default signature hash) at will, then you can MITM all connections anyway if a server accepts your statement that you can only verify a SHA1 signature (hint: it will, because backwards compatibility and because you cannot configure it otherwise).

Investigate second point