Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes

From: Randy Turner (rturner@amalfisystems.com)
Date: Sat Jan 31 2009 - 19:08:11 EST

Next message: Ira McDonald: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"

Previous message: Brian Smithson: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
In reply to: Brian Smithson: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
Next in thread: Ira McDonald: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
Reply: Ira McDonald: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think so....when you actually code TLS connections using OpenSSL,
you can specify a minimum cipher suite to be negotiated...only the
cipher suite enumeration is specified, so I think it's ok to use just
the enumerations.

On Jan 31, 2009, at 4:03 PM, Brian Smithson wrote:

> Thanks, Randy.
>
> So is our key length attribute redundant?
> --
> Regards,
> Brian Smithson
> PM, Security Research
> PMP, CISSP, CISA, ISO 27000 PA
> Advanced Imaging and Network Technologies
> Ricoh Americas Corporation
> (408)346-4435
>
>
> Randy Turner wrote:
>>
>>
>> Hi Brian,
>>
>> I think the IANA registry actually has the key length specified as
>> part of the suite enumeration.
>>
>> Examples are:
>>
>> TLS_RSA_WITH_AES_128_CBC_SHA256
>> TLS_RSA_WITH_AES_256_CBC_SHA256
>>
>> There are other suites that don't specify numeric key sizes, but in
>> these cases, the algorithm itself
>> (3DES for example) work with a specific key size that doesn't vary.
>>
>> In this case, we may be able to just specify that we're talking
>> about a minimum suite, with a reference to RFC 5246 and
>> the IANA registry itself.
>>
>> Randy
>>
>>
>> On Jan 30, 2009, at 6:26 PM, Brian Smithson wrote:
>>
>>> I am still wondering how these two attributes can be used in
>>> practice. I
>>> know that we can uniquely identify cipher suites using the IANA
>>> registry, but is there an authoritative source to specify that one
>>> suite
>>> is "more minimum" than another? And if you consider different key
>>> lengths that might be acceptable for a given suite, then can we
>>> really
>>> say that suite X is more minimum than suite Y even if an HCD
>>> supports a
>>> relatively long key length for X but only supports a relatively
>>> short
>>> one for Y?
>>>
>>> --
>>> Regards,
>>> Brian Smithson
>>> PM, Security Research
>>> PMP, CISSP, CISA, ISO 27000 PA
>>> Advanced Imaging and Network Technologies
>>> Ricoh Americas Corporation
>>> (408)346-4435
>>>
>>>
>>

Next message: Ira McDonald: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
Previous message: Brian Smithson: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
In reply to: Brian Smithson: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
Next in thread: Ira McDonald: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
Reply: Ira McDonald: "Re: IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 31 2009 - 19:08:18 EST