3DES is a HIGH-strength cipher?

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

3DES is a HIGH-strength cipher?

Short, Todd
Hi,

In OpenSSL 1.0.2, and 1.0.1i, 3DES-CBC’s bit-strength was changed from 168 to 112, which makes sense. However, it is still considered a HIGH-strength cipher.

RC4 is listed as having a bit strength of MEDIUM, and is a 128-bit strength cipher (kinda).

This is a bit contradictory. According to the OpenSSL cipher documentation, HIGH refers to 128-bit, or stronger, ciphers.

Should 3DES ciphers be moved to the MEDIUM category?

--
-Todd Short
// "One if by land, two if by sea, three if by the Internet."


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Richard Moore


On 12 February 2016 at 18:59, Short, Todd <[hidden email]> wrote:
Hi,

In OpenSSL 1.0.2, and 1.0.1i, 3DES-CBC’s bit-strength was changed from 168 to 112, which makes sense. However, it is still considered a HIGH-strength cipher.

RC4 is listed as having a bit strength of MEDIUM, and is a 128-bit strength cipher (kinda).

This is a bit contradictory. According to the OpenSSL cipher documentation, HIGH refers to 128-bit, or stronger, ciphers.

Should 3DES ciphers be moved to the MEDIUM category?


​I tend to agree with moving it to the medium category, but not with the reasoning. eg. We could have XOR with a 256 bit key and I still wouldn't want it to be considered as High.

Rich.
 

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Salz, Rich

My personal opinion is that things like HIGH MEDIUM LOW are bad things J


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Viktor Dukhovni
In reply to this post by Short, Todd

> On Feb 12, 2016, at 1:59 PM, Short, Todd <[hidden email]> wrote:
>
> This is a bit contradictory. According to the OpenSSL cipher documentation, HIGH refers to 128-bit, or stronger, ciphers.
>
> Should 3DES ciphers be moved to the MEDIUM category?

3DES is an MTI ciphersuite for TLS, so it must stay HIGH for now.

--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Salz, Rich
> 3DES is an MTI ciphersuite for TLS, so it must stay HIGH for now.

Say what?

So is RC4 and we don't see that as HIGH. HIGH implies strength, not MTI-ness.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Viktor Dukhovni

> On Feb 12, 2016, at 3:15 PM, Salz, Rich <[hidden email]> wrote:
>
> So is RC4 and we don't see that as HIGH. HIGH implies strength, not MTI-ness.

Now let's not make stuff up:

http://tools.ietf.org/html/rfc5246#section-9

9.  Mandatory Cipher Suites

   In the absence of an application profile standard specifying
   otherwise, a TLS-compliant application MUST implement the cipher
   suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5  for the
   definition).

http://tools.ietf.org/html/rfc4346#section-9

9. Mandatory Cipher Suites

   In the absence of an application profile standard specifying
   otherwise, a TLS compliant application MUST implement the cipher
   suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

http://tools.ietf.org/html/rfc2246#section-9

9. Mandatory Cipher Suites

   In the absence of an application profile standard specifying
   otherwise, a TLS compliant application MUST implement the cipher
   suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

Since many users enable just HIGH ciphers, they must not exclude the MTI
ciphers.

--
--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Salz, Rich
> Now let's not make stuff up:

Caught me, I should have looked it up first. :)

> Since many users enable just HIGH ciphers, they must not exclude the MTI
> ciphers.

Sob.  "So let's lie because many users don't know what to do."
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Short, Todd
In reply to this post by Viktor Dukhovni
So, if it’s “mandatory”, then it should be in the default set of ciphers, not necessarily the “HIGH” set.

I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that has subsequently found to be weaker than previously thought.
--
-Todd Short
// "One if by land, two if by sea, three if by the Internet."

On Feb 12, 2016, at 3:36 PM, Viktor Dukhovni <[hidden email]> wrote:


On Feb 12, 2016, at 3:15 PM, Salz, Rich <[hidden email]> wrote:

So is RC4 and we don't see that as HIGH. HIGH implies strength, not MTI-ness.

Now let's not make stuff up:

http://tools.ietf.org/html/rfc5246#section-9

9.  Mandatory Cipher Suites

  In the absence of an application profile standard specifying
  otherwise, a TLS-compliant application MUST implement the cipher
  suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5  for the
  definition).

http://tools.ietf.org/html/rfc4346#section-9

9. Mandatory Cipher Suites

  In the absence of an application profile standard specifying
  otherwise, a TLS compliant application MUST implement the cipher
  suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

http://tools.ietf.org/html/rfc2246#section-9

9. Mandatory Cipher Suites

  In the absence of an application profile standard specifying
  otherwise, a TLS compliant application MUST implement the cipher
  suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

Since many users enable just HIGH ciphers, they must not exclude the MTI
ciphers.

--
--
Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Blumenthal, Uri - 0553 - MITLL
So, if it’s “mandatory”, then it should be in the default set of ciphers, not necessarily the “HIGH” set.

I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that has subsequently found to be weaker than previously thought.

I used to think that MTI doesn’t mean “Mandatory To Offer”. My codebase must have it, but my server (and/or client) configuration may explicitly forbid it. Is there anything wrong with this view?



--
-Todd Short
// "One if by land, two if by sea, three if by the Internet."

On Feb 12, 2016, at 3:36 PM, Viktor Dukhovni <[hidden email]> wrote:


On Feb 12, 2016, at 3:15 PM, Salz, Rich <[hidden email]> wrote:

So is RC4 and we don't see that as HIGH. HIGH implies strength, not MTI-ness.

Now let's not make stuff up:

http://tools.ietf.org/html/rfc5246#section-9

9.  Mandatory Cipher Suites

  In the absence of an application profile standard specifying
  otherwise, a TLS-compliant application MUST implement the cipher
  suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5  for the
  definition).

http://tools.ietf.org/html/rfc4346#section-9

9. Mandatory Cipher Suites

  In the absence of an application profile standard specifying
  otherwise, a TLS compliant application MUST implement the cipher
  suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

http://tools.ietf.org/html/rfc2246#section-9

9. Mandatory Cipher Suites

  In the absence of an application profile standard specifying
  otherwise, a TLS compliant application MUST implement the cipher
  suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

Since many users enable just HIGH ciphers, they must not exclude the MTI
ciphers.

--
--
Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Salz, Rich

> I used to think that MTI doesn’t mean “Mandatory To Offer”. My codebase must have it, but my server (and/or client) configuration may explicitly forbid it. Is there anything wrong with this view?

No.  At least within the TLS WG this has been brought up multiple times. :)
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Viktor Dukhovni
In reply to this post by Short, Todd

> On Feb 12, 2016, at 3:52 PM, Short, Todd <[hidden email]> wrote:
>
> So, if it’s “mandatory”, then it should be in the default set of ciphers, not necessarily the “HIGH” set.
>
> I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher that that has subsequently found to be weaker than previously thought.

3DES was not found weaker than previously thought.  It is as-strong as it ever was,
with 168-bit keys that are subject to a meet-in-the-middle attack (at 2^56 memory cost)
that brings the brute force effort to a way unrealistic 112-bit attack.

The issue with 3DES its performance (slower than AES especially AESNI) and the short
block size (8 bytes vs. 16).  It is a cipher that has stood the test of time quite
well.  If you don't want 3DES, set your cipherlist to 'DEFAULT:!EXPORT:!LOW:!MEDIUM:!3DES'

--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Salz, Rich
Conversely, if you do want 3DES set your cipherlist to DEFAULT:3DES

Or someone fix the manpage. :(


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Phil Pearl
In reply to this post by Short, Todd
Seconding Uri and Todd's views...

On Feb 12, 2016, at 3:36 PM, Todd Short <[hidden email]> wrote:
>So, if it’s “mandatory”, then it should be in the default set of
> ciphers, not necessarily the “HIGH” set.
>
> I’m selecting “HIGH” because I want 128-bit+ ciphers, not a cipher
> that that has subsequently found to be weaker than previously
> thought.

I have to agree.  The docs on 'cipher' in no way convey that HIGH has
any correlation to MTI (http://tools.ietf.org/html/rfc5246#section-9).
My interpretation of the I IN MTI to mean "Implement" (an
implementation detail necessary to meet the spec), but per the docs
"HIGH" seems to indicate a choice of strength desired when running the
software and therefore these seem a bit orthogonal.

Is there no hope in softening that stance?

Phil
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Viktor Dukhovni

> On Feb 12, 2016, at 4:06 PM, Phil Pearl <[hidden email]> wrote:
>
> I have to agree.  The docs on 'cipher' in no way convey that HIGH has
> any correlation to MTI (http://tools.ietf.org/html/rfc5246#section-9).
> My interpretation of the I IN MTI to mean "Implement" (an
> implementation detail necessary to meet the spec), but per the docs
> "HIGH" seems to indicate a choice of strength desired when running the
> software and therefore these seem a bit orthogonal.
>
> Is there no hope in softening that stance?

Well, it would be a major compatibility break for 1.0.2 and earlier, so
no go there.  As for 1.1.0, folks who think that 3DES is realistically
the weakest link in the security of their TLS sessions are quite
misguided.  If you are willing to disable TLS < 1.2, then feel free
to disable 3DES.  Breaking compatibility for everyone else is not a
win.  With TLS 1.3 AEAD is required, and 3DES goes away naturally.

--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Salz, Rich

> Well, it would be a major compatibility break for 1.0.2 and earlier, so no go
> there.  As for 1.1.0, folks

Or those who trust us to say what HIGH means should, well, not be lied to.

Something must be changed for 1.1  Either 3DES moves out of HIGH or the definition of HIGH as documented in the manpage must change.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Michael Sierchio
I think you should revert to your earlier comment - that High, Medium, Low are inherently awful. Maybe color codes? ;-)

I consider 3DES-EDE to be adequately strong. The block size is a problem, speed in software is a problem, etc. but it has been remarkably resilient against differential cryptanalysis and other attacks. 

- M

On Fri, Feb 12, 2016 at 1:29 PM, Salz, Rich <[hidden email]> wrote:

> Well, it would be a major compatibility break for 1.0.2 and earlier, so no go
> there.  As for 1.1.0, folks

Or those who trust us to say what HIGH means should, well, not be lied to.

Something must be changed for 1.1  Either 3DES moves out of HIGH or the definition of HIGH as documented in the manpage must change.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Richard Moore
In reply to this post by Salz, Rich


On 12 February 2016 at 21:29, Salz, Rich <[hidden email]> wrote:

> Well, it would be a major compatibility break for 1.0.2 and earlier, so no go
> there.  As for 1.1.0, folks

Or those who trust us to say what HIGH means should, well, not be lied to.

Something must be changed for 1.1  Either 3DES moves out of HIGH or the definition of HIGH as documented in the manpage must change.


​Personally I think the fact that HIGH includes ciphersuites that offer no MITM protection means that those who trust it have already been totally betrayed.

Rich.

 

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Viktor Dukhovni

> On Feb 12, 2016, at 6:55 PM, Richard Moore <[hidden email]> wrote:
>
> ​Personally I think the fact that HIGH includes ciphersuites that offer no MITM protection means that those who trust it have already been totally betrayed.

The correct way to use high-grade ciphers is.

        "DEFAULT:!EXPORT:!LOW:!MEDIUM"

The various individual cipherlist building blocks are properly orthogonal,
and HIGH/MEDIUM/LOW/EXPORT covers only the symmetric algorithm strength.

One can also use it safely via constructs such as "HIGH:!aNULL:!aDSS:!kRSA"
(if say one also wants to disable DSA and RSA key transport).

--
--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Richard Moore


On 13 February 2016 at 00:16, Viktor Dukhovni <[hidden email]> wrote:

> On Feb 12, 2016, at 6:55 PM, Richard Moore <[hidden email]> wrote:
>
> ​Personally I think the fact that HIGH includes ciphersuites that offer no MITM protection means that those who trust it have already been totally betrayed.

The correct way to use high-grade ciphers is.

        "DEFAULT:!EXPORT:!LOW:!MEDIUM"

The various individual cipherlist building blocks are properly orthogonal,
and HIGH/MEDIUM/LOW/EXPORT covers only the symmetric algorithm strength.

One can also use it safely via constructs such as "HIGH:!aNULL:!aDSS:!kRSA"
(if say one also wants to disable DSA and RSA key transport).

​Yeah, the apache docs didn't say this for /many/ years and it was rejected when I reported it as a security problem. The docs had been correct I believe with some older versions of openssl but the more general point is that users need a setting that doesn't require expertise, a decoder ring or a secret handshake. I think we need to reach a point where DEFAULT is the only sensible option for users without extensive expertise and means to ensure that they don't make things worse by mistake. HIGH currently is a dangerous option.

Rich.
 

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: 3DES is a HIGH-strength cipher?

Viktor Dukhovni

> On Feb 12, 2016, at 7:21 PM, Richard Moore <[hidden email]> wrote:
>
> Yeah, the apache docs didn't say this for /many/ years and it was rejected when I reported it as a security problem. The docs had been correct I believe with some older versions of openssl but the more general point is that users need a setting that doesn't require expertise, a decoder ring or a secret handshake. I think we need to reach a point where DEFAULT is the only sensible option for users without extensive expertise and means to ensure that they don't make things worse by mistake. HIGH currently is a dangerous option.

The problem is too a good degree with Apache.  They chose to expose a
raw expert interface to users without exposing a safer alternative.

Postfix uses the same OpenSSL libraries, but does not expect users to
understand the details of OpenSSL cipherlists.  Instead a safe
interface is exposed to users, and the underlying cipherlists while
also configurable are documented as "expert" configuration controls
that most users should not touch.

This does not mean that OpenSSL should not also provide additional
safe "for dummies" controls, but in the mean-time applications are
not absolved of the responsibility of providing appropriate interfaces
for their users.

--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
12