available crypto policies
Hubert Kario
hkario at redhat.com
Wed Jun 4 12:47:16 UTC 2014
----- Original Message -----
> From: "Till Maas" <opensource at till.name>
> To: security at lists.fedoraproject.org
> Sent: Wednesday, June 4, 2014 9:46:13 AM
> Subject: Re: available crypto policies
>
> On Thu, Mar 27, 2014 at 12:13:33PM +0100, Nikos Mavrogiannopoulos wrote:
>
> > =====LEGACY=====
> > systems. It should provide at least 64-bit security and include RC4, but
> > not MD5 as signature algorithm.
>
> > DH params size: 768+
> > RSA params size: 768+
>
>
> > =====DEFAULT======
> > A reasonable default for today's standards. For F21 it should provide
> > 80-bit security and no broken ciphers like RC4.
>
> > DH params size: 1024+
> > RSA params size: 1024+
>
> > =====FUTURE======
> > A level that will provide security on a conservative level that is
> > believed to withstand any near-term future attacks. That will be
> > an 128-bit security level, without including protocols with known
>
> > DH params size: 2048+
> > RSA params size: 2048+
>
> According to
> http://www.keylength.com/en/compare/
> the asymetric sizes do not match the symmetric size according to most
> sources listed on http://www.keylength.com/en/compare/.
That's old version. New one (https://fedoraproject.org/wiki/Changes/CryptoPolicy)
is:
Legacy: 767+
default: 1023+
future: 3071+
that matches NIST recommendations for default (80bit) and future level(128bit)
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the security
mailing list