Re: Elliptic Curve Cryptography algorithm for key exchange

From: Michel Gallant (neutron_at_nspxistar.ca)
Date: 10/30/03 

Date: Thu, 30 Oct 2003 10:30:49 -0500

"Pent" <pent> wrote in message news:e$%2308bvnDHA.2456@TK2MSFTNGP09.phx.gbl...
> Anything that needs better performance than current asymmetric algorithm
> while providing the same strength?
>
> http://www.certicom.com/resources/ecc/ecc.html
>
> "[...] To successfully protect your data, a high security algorithm like AES
> demands equivalent security for the accompanying digital signatures and key
> exchanges. Otherwise, AES can be compromised through the weaker security of
> your public key cryptography.
> Normally, this would mean the large key sizes required to match AES levels
> of security would overwhelm the processors of most mobile devices

This is a good point ... suitably matching the symmetric key size with a proper
asymmetric recipient key. There is a good table describing this:
  "Writing Secure Code" 2nd Edn. 2003 Table 8-2 "Key-Size Equivalences"

There is an interesting comment there:
  "Do not protect a 128-bit AES key by using a 512-bit RSA key"
which seems like a gross understatement.

Also, the table indicates that to protect, say, a 128 bit RC2 key requires at
LEAST a ~ 2000 bit RSA key. Interesting since most SSL connections (or
S/MIME usages) with 128 bit symmetric session key have only 1024 bit key
protection! .. or is that table misleading?? would be nice to have M. Howard
post it for discussin here :-)

Anyway, another trend, particularly in .NET documentation that should be
at least be flagged, is the samples which encourage the use of AES, but with
only password derived (instead of asymmetric key protected) keys. This might
leads to developer perception of better security (i.e. AES) but in reality poor
protection with easily crackable pswd-derived AES keys!!

 - Michel Gallant
   Visual Security MVP

Relevant Pages

  • Re: Elliptic Curve Cryptography algorithm for key exchange
    ... AES can be compromised through the weaker security ... >> your public key cryptography. ... this would mean the large key sizes required to match AES ... > protection with easily crackable pswd-derived AES keys!! ...
    (microsoft.public.platformsdk.security)
  • Re: is this double CBC?
    ... datatype of storage the algorithm can remain the same. ... going on to directly contradict yourself. ... if it was designed to work in place of a cypher, i wouldn't be using AES now ... Good to know your intention is to weaken security, ...
    (sci.crypt)
  • Re: is this double CBC?
    ... understand the difference between algorithm and implementation. ... the place of a cipher, and that it fails to meet the security requirements, therefore it is weak. ... if it was designed to work in place of a cypher, i wouldn't be using AES now would i. once again i will state, i didn't code the AES module, someone who knows cryptography better than i do coded it. ... You designed something that is not supposed to add to security, instead it is designed to consume entropy, and so significantly weakens security. ...
    (sci.crypt)
  • Re: "Rule 30" CA encryption implementation
    ... give good security and do NOT constitute ... crypto-algorithm is correct. ... the fact that a program uses AES to encrypt files says *NOTHING* ...
    (sci.crypt)
  • Re: Rijndael/AES implementations
    ... > Are there significant performance/implementation differences in the ... AES CSP is little-endian and the RijndaelManaged ... > of Rijndael to recommend going ahead with architecture using Rijndael for ... Apparently WinZip used the code of a security researcher, ...
    (microsoft.public.platformsdk.security)