[prev in list] [next in list] [prev in thread] [next in thread]
List: dcms-dev
Subject: [opencm-dev] OpenCM Security Level Revisited...
From: "Jeroen C. van Gelderen" <jeroen () vangelderen ! org>
Date: 2003-05-03 18:44:48
[Download RAW message or body]
This has been discussed before but I've never documented my desire for
use of SHA-256. This note fills that void. It is written from memory
with regards to OpenCM details as I'm travelling. Please don't nitpick
:)
The NIST draft "Special Publication 800-57, Recommendation For Key
Management" [1] sets guidelines for key management in government
applications. When it is approved and published it will likely become
mandatory in industry and government alike. This will affect OpenCM
adoption in these areas.
According to [1] (page 98) applications offering 2^80 security are
sufficient from the present to 2015. Between 2015 and 2035 a minimum of
2^112 is required. After 2035 the requirement is 2^128.
OpenCM uses a variety of cryptographic techniques, some of which are
easily upgraded and some of which are not. Access control mechanisms
fall in the former category whereas the persistent entity hashes fall
in the latter.
OpenCM presently uses SHA-1 for its entity hashes. As these entity
hashes are subject to birthday attacks they yield about 80 bits of
security. According to [1] this is sufficient until 2015. After that
date the hash function must be replaced, preferably with SHA-256.
By sticking to SHA-1 now OpenCM is setting itself up for a Y2K problem.
OpenCM should switch to using SHA-256 for its entity hashes before a
general release, rather doing this after it has seen significant
deployment. This is especially sensible since use of SHA-256 is not
significantly more computationally expensive.
The OpenCM team should also document this decision and publish the
rationale so as to encourage others to take the same approach.
NOTE: 128-bit Swiss numbers should be used too but I think that already
is the case.
NOTE: The repository authentication key is relatively easily upgraded.
However it may be advisable to use a 2048 or 3072-bits key by default.
Unlike the immediate adoption of SHA-256, a larger repository
authentication key does pose significant computational requirements on
the client and server. Given that use of this key is not in the fast
path, a 3072-bit default may yet be sensible provided it can be
overridden.
NOTE: My personal (professional) opinion on selecting key sizes would
err slightly more on the conservative side. This would not affect the
choice of hash function (still SHA-256) but rather require a minimum of
a 1536-bit repository key [2] at present. If a 3072-bit default is not
realistic, I would advise considering a 1536-bit default which gives me
a warm, fuzzy feeling until 2013.
-J
[1] http://csrc.nist.gov/CryptoToolkit/kms/guideline-1-Jan03.pdf
[2] http://www.simovits.com/archive/cryptosizes.pdf
--
Jeroen C. van Gelderen - jeroen@vangelderen.org
"Be precise in the use of words and expect precision from others"
-- Pierre Abelard
_______________________________________________
opencm-dev mailing list
opencm-dev@smtp.opencm.org
http://www.opencm.org/mailman/listinfo/opencm-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic