[Authentication] Clarification of algorithm: dh-ietf1024-aes128-cbc-pkcs7
Yaron Sheffer
yaronf at gmx.com
Sat Nov 27 12:49:41 PST 2010
Hi Stef,
No matter how you do it, you'd want the hash algorithm to be part of the
algorithm set for future algorithm agility, for example
dh-ietf1024-*sha256*-aes128-cbc-pkcs7.
Also, HKDF is an operator (like HMAC), not an algorithm. In other words
you can have HKDF-SHA1 or HKDF-SHA256.
I agree that MD5 is not recommended. SHA-256 vs. HKDF-SHA256 is clearly
an effort vs. security tradeoff. Personally, I would go for SHA256 with
AES-128 (AES-256 has some major issues).
Thanks,
Yaron
On 11/27/2010 12:18 AM, Stef Walter wrote:
> As implemented (in gnome-keyring at least) the Secret Service algorithm
> set dh-ietf1024-aes128-cbc-pkcs7 isn't as strong as it should be.
>
> After DH key exchange, the resulting 1024 bit key is truncated into a
> short key used for AES. This is not optimal, and was brought up on the
> gnome-keyring-list.
>
> Here are some ways we can fix it. In either case, for compatibility, we
> would add a new algorithm set identifier and deprecate the old one.
>
> * Use MD5 to derive the key and use AES128 for encryption. However,
> MD5 is not recommended for use in crypto protocols.
>
> * Use SHA256 to derive the key and use AES256 for encryption.
>
> * Use HKDF [1] to derive the key. Perhaps more complex than we need?
>
> Any other thoughts?
>
> Cheers,
>
> Stef
>
> [1] http://tools.ietf.org/html/rfc5869
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/authentication/attachments/20101127/373a7965/attachment.html>
More information about the Authentication
mailing list