----- Original Message -----
From: "Pavel Kankovsky"
<peak(a)argo.troja.mff.cuni.cz>
To: "Nikos Mavrogiannopoulos" <nmav(a)redhat.com>
Cc: security(a)lists.fedoraproject.org
Sent: Monday, 31 March, 2014 10:34:37 PM
Subject: Re: Crypto guidelines for Fedora
On Mon, 31 Mar 2014, Nikos Mavrogiannopoulos wrote:
> I don't understand what do you mean using SSH and TLS for 10 or more
> years, but we have an expectation of secrecy of data for 10 or more
> years. When you do a TLS or SSH session you don't expect that your
> transferred data will be leaked within a few months or a year later.
Let me repeat one of my footnotes:
(***) If long-term secrecy is desired for data transmitted using a
transport protocol (TLS, SSH), one should rely on perfect forward secrecy
provided by the use of ephemeral (EC)DH keys rather than on a server
private key staying confidential for a long time (not broken and not
leaked or stolen). Unfortunately, the support of ephemeral DH in many
programs is, ahem, questionable...
The ENISA recommendations are generic, not everybody uses ECDHE or DHE
key exchange. Either because, as you point out, the support is not there,
or because they use client cipher selection and most of the clients are
Windows machines or because the administrator disabled all DH suites
because he or she fears for performance problems caused by DHE and doesn't
know that this does not apply for ECDHE suites.
Also, cryptosystems that don't use primitives of comparable strength
are rather frowned upon (if only because security assessment of such
systems is more complex).
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario(a)redhat.com
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic