Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes

• Previous message: Ira McDonald: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
• In reply to: Randy Turner: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
• Next in thread: Randy Turner: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
• Reply: Randy Turner: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

--
Regards,
Brian Smithson
PM, Security Research
PMP, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435

Hi Brian,

I think the IANA registry actually has the key length specified as part of the suite enumeration.

Examples are:

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

There are other suites that don't specify numeric key sizes, but in these cases, the algorithm itself

(3DES for example) work with a specific key size that doesn't vary.

In this case, we may be able to just specify that we're talking about a minimum suite, with a reference to RFC 5246 and

the IANA registry itself.

Randy

On Jan 30, 2009, at 6:26 PM, Brian Smithson wrote:

I am still wondering how these two attributes can be used in practice. I
know that we can uniquely identify cipher suites using the IANA
registry, but is there an authoritative source to specify that one suite
is "more minimum" than another? And if you consider different key
lengths that might be acceptable for a given suite, then can we really
say that suite X is more minimum than suite Y even if an HCD supports a
relatively long key length for X but only supports a relatively short
one for Y?

--
Regards,
Brian Smithson
PM, Security Research
PMP, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435