From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] Mark recommended ciphers/algorithms Date: Mon, 04 Jan 2016 16:31:50 +0000 Message-ID: <1451925110.31655.257.camel@ipfire.org> In-Reply-To: <5686AF2E.8080407@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4184277237226699147==" List-Id: --===============4184277237226699147== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello and happy new year, On Fri, 2016-01-01 at 17:54 +0100, IT Superhack wrote: > Hello Michael, hello Larsen, > > sorry for not replying a while; xmas is always very busy Same. > > > > There seems to be a problem with the word "recommended". In the > > > > patches > > > > submitted, I recommended always the most strongest cipher. > > > > However, > > > > as > > > > you said, some of them are simply one step too much. Should > > > > then > > > > both > > > > be > > > > recommended? > > > > > > I am not sure. Can anyone come up with a more fitting expression? > > > If we > > > mark everything as "recommended" that is strong enough for now > > > after > > > our consideration, we will have most of them tagged with that > > > word. > > > In > > > that case it would make more sense to mark the weak stuff as such > > > to > > > keep readability. Maybe that is the way to go. But does the > > > average > > > Joe > > > know what is meant by "weak"? > > > > Joe should know enough that "weak" is normally not what is wanted. > > Otherwise he should RTFM > > > > You could recommend the strongest cipher that would take an > > attacker > > millions of years to break, but on the other hand force the > > hardware > > to > > burn its CPU, while another "not as strong as the recommended one" > > cipher > > would also take an attacker thousands of years, but not consume > > that > > much > > CPU. > Maybe it is better to mark just the weak or broken entries. I agree, > "recommended" is not very specific here - maybe "strongest" would be > better. Especially to mark AES-256-CBC on the OpenVPN main page. Using "strongest" is a very good idea. As mentioned earlier it is hard to tell if an algorithm is good or bad, but we can rank them based on key sizes, etc. And in the end there will be a "strongest" cipher. That is still as subjective as "weak" is, but I think it is easy to understand for every user. > > If we have "weak". Should we have "broken", too? For example we > > have to > > support MD5. I wouldn't say that MD5 is weak. It is more than that. > Okay, so we have: > MD5 "broken" > SHA1 "weak" > DH-1024-params "broken" (? not sure about this) > DH-2048-params "weak" > AES-256-CBC "recommended"/"strongest" (on OpenVPN page only) > > Do you think this is a good way to start? If yes, I could send in > some > patches. I can agree on this with all the labels except "broken" for DH-1024. It works and it makes sense to use this for short-lived keys. It should be avoided if we can, so I would suggest "very weak". I think we can label AES-256-GCM as "strongest" on the IPsec page, too. > > > > > Why should IKEv2 be recommended? AFAIK there are no known design > > issues > > with IKEv1. Some algorithms might not be available, but this is not > > an > > issue for now since AES, SHA2, (AKA the strong ones) are supported. > @Michael: That is correct, I did not RTFM. o:-) > > Looking forward to hear from you. Happy new year! > > Best regards, > Timmothy Wilson Best, -Michael > --===============4184277237226699147== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRSWNCQUFC Q2dBR0JRSldpcDUyQUFvSkVJQjU4UDl2a0FrSEFUSVFBSVhkT3RMSy9NNUxpV21GU2c2bGs2U1kK Mk8vSUlDODFyYlJvU2dackQ2OG9YMzF5TTlEU3A2dXB2SGJVb3UrNWpIVFhwMlJJVjh4dGJxbmNn WWhaMGJVKwpCZlhQaUtBdlE1TG5mUkxMT2lrQjBaUkN6T3dSZnlKM2o4ZU42SkxBUjNUMG5pWjBV SHNXMXgvSTRqc0dxZlpZCk9xM2VxNGd3SjYyR29ubzJac3o2V2pVWWpnWVJJc3RVVTd2c0IvVGNa VnB3WHRxc3o3bjgrZGJ1UUVERHVvNkcKdzhRVXhEbFNoeVpmbUo1elc2RXFJcDdlSitrbmg5V2dH eWEyS2NMbktWdXR4cUtGeFFRT000RktUOGl1RWRDeApSU1M0NFhQZTdmSm1RZ2NFbUFBMUE4c1ZT VmlsWU15ZXhhWFJydHlobmdpWlc1a1VrRE1UT3FtVGJIdm04UHl4CnllWFd1ZW5kNEhrZnVtaVln N3M3dE5HbDdacXVVRU0yTmk4Nm9MbGhzdW5hWWk2a29EZ21uWkVwMWsrMWdoQU4KelRuK24wMlg0 eUFVTTBnU3A2ZXFxaXYrNnZVRnM4OXN3dlNPTUVWaUJteFJVbmEvaHg1VWUxaEhGVk5mb0dKNwpa cHl0c3ZuYnFsNWdOUGtJSnRXaStuNGUxMmt2b0IvWFYwbGdhL293Y0FBcElhYldpTjR1NDNJTlA3 WEhOUldmCjBpcjNES0NFMkxvK1hrWjZUVXhhSWZQMDdsejF1L1E4a1NlMTN6MDRVZEtXUmlXT25q THBaQm5YWEdNS1JVQXIKNkt6cmxUdlMzbnQ3RFFRUVk3anVzZ2sraXhDVklIdmxwUTFrc2ZkRTdm aEsrYk54Z1JzaDVVTTNSTjhFbTV3TApFUklYdy9uTC9MMUZjcDk4NStPcAo9QlBuMQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============4184277237226699147==--