[Authentication] Clarification of algorithm: dh-ietf1024-aes128-cbc-pkcs7
stefw at gnome.org
Fri Nov 26 15:02:45 PST 2010
On 2010-11-26 16:43, Brad Hards wrote:
> On Saturday, November 27, 2010 09:18:36 am Stef Walter wrote:
>> As implemented (in gnome-keyring at least) the Secret Service algorithm
>> set dh-ietf1024-aes128-cbc-pkcs7 isn't as strong as it should be.
> What is dh-ietf1024 in this algorithm?
Well we're still knocking out the details of the standard. It's
unfortunate that it was necessary to implement before it's complete :(
> Asymmetric key strength isn't equal to
> symmetric key strength. A 1024-bit Diffie Hellman key is not as strong as a 128
> bit AES key.
Good point. If we take DH as roughly as roughly the same key strength as
RSA for key sizes (can't find citation right now), then I guess we would
need to use 3072-bit DH to be somewhat equivalent to 128-bit AES.  
Would that be your recommendation?
>> * Use SHA256 to derive the key and use AES256 for encryption.
> SHA256 is 128 bits of "effective" security. Use SHA256 with AES128, and SHA512
> with AES256.
True. I was sort of thinking that we could 'get away' with using a hash
algorithm with the same output as the symmetric cipher. But yes, your
point is well taken: they're not equivalent 'strength'
>> * Use HKDF to derive the key. Perhaps more complex than we need?
> Security probably depends on which of the options (especially which hash) you
Well the deal is that this security is somewhat optional in the secret
service spec. It's a way of transporting passwords securely between
processes on the same computer, without MITM protection or taking into
account active attacks .
In some ways the lax security requirements of this could lend themselves
to shortcuts. However, we probably want to avoid these shortcuts and
just make it a solid set of algorithms. What do you think?
More information about the Authentication