Kx=RSA vs Kx=RSA(1024)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Kx=RSA vs Kx=RSA(1024)

Andy Bontoft
Hello,
Could someone please explain what the Kx=RSA denotes (By this I mean the
RSA by itself)?
It seems straight forward what Kx=RSA(512) and Kx=RSA(1024) mean but I
don't understand what RSA without a bit specification would represent,
and how it differs.
Thanks for your time
andy


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kx=RSA vs Kx=RSA(1024)

Victor Duchovni
On Wed, May 10, 2006 at 05:10:18PM +0100, Andy Bontoft wrote:

> Hello,
> Could someone please explain what the Kx=RSA denotes (By this I mean the
> RSA by itself)?
> It seems straight forward what Kx=RSA(512) and Kx=RSA(1024) mean but I
> don't understand what RSA without a bit specification would represent,
> and how it differs.

A quick grep of "openssl ciphers -v", shows that all the RSA(NNN) ciphers
are "export" ciphers:

EXP1024-DES-CBC-SHA     SSLv3 Kx=RSA(1024) Au=RSA  Enc=DES(56)   Mac=SHA1 export
EXP1024-RC2-CBC-MD5     SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC2(56)   Mac=MD5  export
EXP1024-RC4-SHA         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=SHA1 export
EXP1024-RC4-MD5         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=MD5  export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-64-MD5              SSLv2 Kx=RSA      Au=RSA  Enc=RC4(64)   Mac=MD5
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Kx=RSA vs Kx=RSA(1024)

Andy Bontoft
Hello Victor,
Yes agreed, but I didn't think that the 'export' masking of the
encryption algorithms key bits had anything to do with the key exchange
algorithms. Was this view in error? If so, do you have an idea what key
size the 'normal' key exchange RSA is using?
andy

Victor Duchovni wrote:

>On Wed, May 10, 2006 at 05:10:18PM +0100, Andy Bontoft wrote:
>
>  
>
>>Hello,
>>Could someone please explain what the Kx=RSA denotes (By this I mean the
>>RSA by itself)?
>>It seems straight forward what Kx=RSA(512) and Kx=RSA(1024) mean but I
>>don't understand what RSA without a bit specification would represent,
>>and how it differs.
>>    
>>
>
>A quick grep of "openssl ciphers -v", shows that all the RSA(NNN) ciphers
>are "export" ciphers:
>
>EXP1024-DES-CBC-SHA     SSLv3 Kx=RSA(1024) Au=RSA  Enc=DES(56)   Mac=SHA1 export
>EXP1024-RC2-CBC-MD5     SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC2(56)   Mac=MD5  export
>EXP1024-RC4-SHA         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=SHA1 export
>EXP1024-RC4-MD5         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=MD5  export
>EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
>EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
>EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
>EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
>EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
>
>AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
>DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
>DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
>AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
>RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
>RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
>RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
>RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
>RC4-64-MD5              SSLv2 Kx=RSA      Au=RSA  Enc=RC4(64)   Mac=MD5
>DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
>DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
>
>  
>

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kx=RSA vs Kx=RSA(1024)

Dr. Stephen Henson
On Wed, May 10, 2006, Andy Bontoft wrote:

> Hello Victor,
> Yes agreed, but I didn't think that the 'export' masking of the
> encryption algorithms key bits had anything to do with the key exchange
> algorithms. Was this view in error? If so, do you have an idea what key
> size the 'normal' key exchange RSA is using?
> andy
>

It is from the old export restrictions. An RSA Kx with a bit restriction is
the maximum size of RSA key that can be used for key exchange in that
cipher suite.

If the server certificate key size doesn't exceed the limit then it is used.

If the server key size exceeds the key exchange limit then a temporary key of
the appopriate size if used which is signed by the certified key.

If no restriction is present on the Kx then the servers certified key is always
used.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Kx=RSA vs Kx=RSA(1024)

Andy Bontoft
Thanks very much, now I understand :)

Dr. Stephen Henson wrote:

>On Wed, May 10, 2006, Andy Bontoft wrote:
>
>  
>
>>Hello Victor,
>>Yes agreed, but I didn't think that the 'export' masking of the
>>encryption algorithms key bits had anything to do with the key exchange
>>algorithms. Was this view in error? If so, do you have an idea what key
>>size the 'normal' key exchange RSA is using?
>>andy
>>
>>    
>>
>
>It is from the old export restrictions. An RSA Kx with a bit restriction is
>the maximum size of RSA key that can be used for key exchange in that
>cipher suite.
>
>If the server certificate key size doesn't exceed the limit then it is used.
>
>If the server key size exceeds the key exchange limit then a temporary key of
>the appopriate size if used which is signed by the certified key.
>
>If no restriction is present on the Kx then the servers certified key is always
>used.
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>  
>

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kx=RSA vs Kx=RSA(1024)

Victor Duchovni
In reply to this post by Dr. Stephen Henson
On Wed, May 10, 2006 at 06:49:27PM +0200, Dr. Stephen Henson wrote:

> If the server key size exceeds the key exchange limit then a temporary
> key of the appopriate size if used which is signed by the certified
> key. If no restriction is present on the Kx then the servers certified
> key is always used.

For a client that wants a secure channel with a given server, what is
the best way to enforce a lower bound on the RSA key size of the server
certificate? I know that the CA root certificates have what we (at least
for now) believe to be adequate key sizes, but do I need to add code to
check the server key size in the verification callback, or do the HIGH
and MEDIUM ciphers include sensible RSA key size lower bounds?

In the future non-RSA server credentials may become more ubiquitous.
Right now client verification callbacks tend to only look only for X.509
credentials, are there any good examples of code that uses OpenSSL to
handle non X.509 RSA authentication mechanisms (Kerberos, ...)?

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Kx=RSA vs Kx=RSA(1024)

Mark-62
In reply to this post by Andy Bontoft
Hi,

> For a client that wants a secure channel with a given server, what is
> the best way to enforce a lower bound on the RSA key size of
> the server certificate?

You can use the SSL_(CTX_)_set_cipher_list() functions to restrict which
ciphers can be used.

Best Regards,
Mark Williams
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Kx=RSA vs Kx=RSA(1024)

Victor Duchovni
On Thu, May 11, 2006 at 09:30:16AM +0100, Mark wrote:

> Hi,
>
> > For a client that wants a secure channel with a given server, what is
> > the best way to enforce a lower bound on the RSA key size of
> > the server certificate?
>
> You can use the SSL_(CTX_)_set_cipher_list() functions to restrict which
> ciphers can be used.

I am afraid you are answering the wrong question. Does anyone check the
key strength of the peer's public keys? How do you deal with the various
public key types that might be found (DSA, RSA, ECDSA, ...)? Or does one
instead expect that anything the peer was fool enough to have signed
by a mutually trusted CA is strong enough?

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]