List Info

Thread: Re: ssl_supported_ciphers.nasl issues?
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
United Kingdom		 2007-04-06 09:22:29 
The problem is the OpenSSL list is not continuous.
There are gaps in the ranges.

Where does 3DES fit? Is the 112-bit key Low or Medium?


----- Original Message -----
From: Sullo <sullocirt.net>
Sent: 05/04/2007 09:56:54
Subject: Re: [Plugins-writers] ssl_supported_ciphers.nasl
issues?

> Thanks George.
> 
> Quoting "George A. Theall" <thealltenablesecurity.com>:
> >>     Medium Strength Ciphers (128-bit key)
> >> but the code said:
> >>     else if (nbits < 112) cat =
MEDIUM_STRENGTH;
> >
> > Yes, you're right. I fixed the label to agree with
the actual 
> > cutoffs in the code.
> 
> I'd still think the levels should change to:
> labels[cat] = "Low Strength Ciphers (< 128-bit
key)";
> labels[cat] = "Medium Strength Ciphers (128-bit
key)";
> labels[cat] = "High Strength Ciphers (> 128-bit
key)";
> 
> rather than:
> labels[cat] = "Low Strength Ciphers (< 56-bit
key)";
> labels[cat] = "Medium Strength Ciphers (>=
56-bit and < 112-bit key)";
> labels[cat] = "High Strength Ciphers (>=
112-bit key)";
> 
>  From the OpenSSL help page:
> http://
www.openssl.org/docs/apps/ciphers.html
> HIGH
> ``high'' encryption cipher suites. This currently means
those with key  
> lengths larger than 128 bits, and some cipher suites
with 128-bit keys.
> MEDIUM
> `medium'' encryption cipher suites, currently some of
those using 128  
> bit encryption.
> LOW
> ``low'' encryption cipher suites, currently those using
64 or 56 bit  
> encryption algorithms but excluding export cipher
suites.
> 
> Regards
> Sullo
> 
> -- 
> 
> http://www.cirt.net/
     |     http://www.osvdb.org/
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writerslist.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers


_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
United States		 2007-04-05 10:27:48 

Quoting Dennis Jackson <dennis.jacksonndirect.co.uk>:
> The problem is the OpenSSL list is not continuous.
> There are gaps in the ranges.
>
> Where does 3DES fit? Is the 112-bit key Low or Medium?

For simplicity, I'd say < 128 == weak... unless someone
wants to go  
through cipher by cipher and categorize each one.



-- 

http://www.cirt.net/     
|     http://www.osvdb.org/
_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
France		 2007-04-05 10:56:10 
On Thu Apr 05 2007 at 17:27, Sullo wrote:

>> Where does 3DES fit? Is the 112-bit key Low or
Medium?

> For simplicity, I'd say < 128 == weak...

3DES is definitely not weak. AFAIK, nobody can break that.

_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
United States		 2007-04-05 15:40:10 
Quoting Michel Arboi <mikhailnessus.org>:

> On Thu Apr 05 2007 at 17:27, Sullo wrote:
>
>>> Where does 3DES fit? Is the 112-bit key Low or
Medium?
>
>> For simplicity, I'd say < 128 == weak...
>
> 3DES is definitely not weak. AFAIK, nobody can break
that.

I would agree.

I've been comparing with Foundstone's SSLDigger, which lists
Weak as   
< 128, Strong as 128-256, and Excellent > 256. One of
our contracted  
assessments used this & I was trying to figure out why
no "weak"  
ciphers were reported in Nessus when I tried to confirm...
hence my  
statement about using 128 a the water mark for
"weak" -- I'm not sure  
I care that much whether Nessus reports it as low or weak,
now that  
the 56 bit ones are not just reported as "export
strength" 







-- 

http://www.cirt.net/     
|     http://www.osvdb.org/
_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
France		 2007-04-05 16:13:40 
On Thu Apr 05 2007 at 22:40, Sullo wrote:

> I've been comparing with Foundstone's SSLDigger, which
lists Weak as
> < 128, Strong as 128-256, and Excellent > 256.

Such a scale is stupid. Can they break Skipjack (80 bits) or
3DES (112
bits)? Probably not. What is a weak unbreakable cipher?

A long key does not mean that the cipher is strong; but a
short key is
definitely a weakness. The key length is only one factor for
the
global strength. As soon as brute force attacks cannot be
implemented,
the length is not relevant any more. 

I'd say that "weak" is something that can be
broken in a reasonable
time with a standard PC, "medium" something that
needs dedicated
hardware or needs an unreasonable time, and
"strong" anything that is
unbreakable by brute force, or with unreasonable means.
Medium would range from 56 to 64 bits currently
(Distributed.net took
years to break RC5-64). 32 to 40 bits are "weak".
80 bits can probably be broken by dedicating huge amounts of
CPU power
for years. Let's say that's the begining of
"strong", ast least for
common usage. If you want to protect data during 50 years,
then you
probably need another scale. Using longer keys is only a
part of the
solution. 

My $0.02

-- 
http://www.bigfoot.com/
~arboi		http://ma75.blogspot.com/
PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91
Fingerprint: 1048 B09B EEAF 20AA F645  2E1A 1320 924F 0BBA
BA91
_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
[1-5]

about | contact  Other archives ( Real Estate discussion Medical topics )