IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes

IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes

Ira McDonald blueroofmusic at gmail.com
Sat Jan 31 14:44:47 EST 2009


Hi,

I think we *also* want to add references to these two IETF BCPs:

RFC 3766 Determining Strengths For Public Keys Used For Exchanging
     Symmetric Keys. H. Orman, P. Hoffman. April 2004. (Format: TXT=55939
     bytes) (Also BCP0086) (Status: BEST CURRENT PRACTICE) (23 pages)

RFC 4086 Randomness Requirements for Security. D. Eastlake, 3rd, J.
     Schiller, S. Crocker. June 2005. (Format: TXT=114321 bytes)
     (Obsoletes RFC1750) (Also BCP0106) (Status: BEST CURRENT
     PRACTICE) (48 pages)

They are both, by the way, well worth reading.

Cheers,
- Ira
Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music/High North Inc
email: blueroofmusic at gmail.com
winter:
  579 Park Place  Saline, MI  48176
  734-944-0094
summer:
  PO Box 221  Grand Marais, MI 49839
  906-494-2434



On Fri, Jan 30, 2009 at 9:39 PM, Randy Turner <rturner at amalfisystems.com> wrote:
>
> Hi Brian,
> I think the IANA registry actually has the key length specified as part of
> the suite enumeration.
> Examples are:
> TLS_RSA_WITH_AES_128_CBC_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA256
> There are other suites that don't specify numeric key sizes, but in these
> cases, the algorithm itself
> (3DES for example) work with a specific key size that doesn't vary.
> In this case, we may be able to just specify that we're talking about a
> minimum suite, with a reference to RFC 5246 and
> the IANA registry itself.
> Randy
>
> On Jan 30, 2009, at 6:26 PM, Brian Smithson wrote:
>
> I am still wondering how these two attributes can be used in practice. I
> know that we can uniquely identify cipher suites using the IANA
> registry, but is there an authoritative source to specify that one suite
> is "more minimum" than another? And if you consider different key
> lengths that might be acceptable for a given suite, then can we really
> say that suite X is more minimum than suite Y even if an HCD supports a
> relatively long key length for X but only supports a relatively short
> one for Y?
>
> --
> Regards,
> Brian Smithson
> PM, Security Research
> PMP, CISSP, CISA, ISO 27000 PA
> Advanced Imaging and Network Technologies
> Ricoh Americas Corporation
> (408)346-4435
>
>
>
>



More information about the Ids mailing list