SSLEngine with DH keyexchange

Thread view:

Christian - 27 Jan 2010 17:21 GMT

Hello,

Java's build in TLS seems to have the problem that the maximum size for
keys it uses has become/is becomeing obsolete.
i.e. DH key exchange has a key size maximum
limit of 1024Bit. That is not even acceptable as minimum keysize for
most SSH implementations.

I was told that bouncycastle implementation could solve the problem.

Though either I have been unable to install the providers correctly or
they don't work with SSLEngine (haven't found a single example on
bouncycastle about using their providers with SSLEngine for TLS)

Anyone got the same problem?
Simple solution? some library with drop in replacement for SSLEngine /
may be I have to do something special to get Bouncycastle to work with
SSLEngine (like using some special provider in SSLContext.getInstance()?)?

Anyone had the same problem?
Help!

Reply to this Message

Lothar Kimmeringer - 02 Feb 2010 13:42 GMT

> Though either I have been unable to install the providers correctly or
> they don't work with SSLEngine (haven't found a single example on
> bouncycastle about using their providers with SSLEngine for TLS)

Can you show what exactly you were doing to "install"
BouncyCastle? Just adding the jar to your classpath
isn't enough, you have to register the provider.

Regards, Lothar

Signature

Lothar Kimmeringer E-Mail: spamfang@kimmeringer.de
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

Reply to this Message

Christian - 03 Feb 2010 10:52 GMT

Am 02.02.2010 14:42, schrieb Lothar Kimmeringer:

>> Though either I have been unable to install the providers correctly or
>> they don't work with SSLEngine (haven't found a single example on
[quoted text clipped - 5 lines]
>
> Regards, Lothar

I just called Security.addProvider(new BouncyCastleProvider());

Otherwise nothing changed.
I also tried creating SSLContext with Bouncycastle as provider though
that failed i.e.
SSLContext.getInstance("TLSv1","BC");
or
SSLContext.getInstance("TLS","BC");

resulted in java.security.NoSuchAlgorithmException: no such algorithm: x
for provider BC

greetings
Christian

Reply to this Message

Christian - 03 Feb 2010 11:44 GMT

Am 03.02.2010 11:52, schrieb Christian:

> Am 02.02.2010 14:42, schrieb Lothar Kimmeringer:
>>
[quoted text clipped - 22 lines]
> greetings
> Christian

used jar was bcprov-jdk15-145.jar
btw

Reply to this Message

Lothar Kimmeringer - 03 Feb 2010 23:14 GMT

> Am 02.02.2010 14:42, schrieb Lothar Kimmeringer:
>> Can you show what exactly you were doing to "install"
>> BouncyCastle? Just adding the jar to your classpath
>> isn't enough, you have to register the provider.
>
> I just called Security.addProvider(new BouncyCastleProvider());

That's OK so far.

> Otherwise nothing changed.
> I also tried creating SSLContext with Bouncycastle as provider though
[quoted text clipped - 5 lines]
> resulted in java.security.NoSuchAlgorithmException: no such algorithm: x
> for provider BC

SSLContext.getInstance("ssl", "BC");
might be better. What version of SSL is used when establishing
a connection can be controlled by a System property I don't
recall at the moment (but there is a bug in the implementation
in the JSSE anyway, so the use of the property isn't making any
sense at the moment, because it's ignored half of the time.

If everything fails, I thinks it's better to ask your question
again at the mailing list of Bouncy Castle. The developers are
reading there and answer most of the time in addition to the
responses you get from other users of that library

Regards, Lothar

Signature

Lothar Kimmeringer E-Mail: spamfang@kimmeringer.de
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

Reply to this Message

Bohgosity BumaskiL - 16 Feb 2010 15:58 GMT

Last time I read anything about it, about ten years ago, an important number
from Fermat was factored. It's a one with about 512 zeros after it, plus one
(or something like that). He said (or one of his four rules determined) that
it was not prime. Then in about 2000, probably before, someone finally
factored it. The writers of the time figured that a lot of human input went
into the feat, because it had so many zeros in it. Still, if you think about
it, the task ran for about thirty years, because Fermat was long dead, but
recognized as a major contributor to PGP. Every additional bit doubles the
time (less than that, but not much). Add another 512 bits, and it still
can't be done by brute force, plus you will get major advantages from
employing expensive decrypto mathematicians who make these spectacular and
baseless but effective hunch moves to eliminate like five hundred million
instructions per hour. I am sure there are lot of crypto-wizards who are
saying that our computing power doubled five hundred times since 2000....but
it did not. Moore's law is losing momentum. I spend a whole lot more time
being wrong than anything else in crypto. Factoring in linear time
proportional to bits in a key would be astonishing to a lot of people. 1024
is the standard. Zimmerman was recommending it in 1996.

I saw that a recommendation in an RFC that symmetric keys be exchanged
periodically. There is no point to that, because symmetric keys are tighter
than public keys. The older a symmetric key, the better.

> Hello,
>
[quoted text clipped - 17 lines]
> Anyone had the same problem?
> Help!

Reply to this Message

Christian - 18 Feb 2010 08:21 GMT

Ok update on state of the art as I perceived it:
512 Bit being broken may be 2000
but in 2010 state of the art is 768Bit having been broken recently.
This all become more or less possible not due to computing power but due
to sub exponential time primefactoring.
(Primefactoring is still not done in polynomial time though it seems to
be below exponential time)
so implication of this is each new Bit does add definately less than a
factor of 2.

Besides moores law not really loosing that much momentum... number of
transistors are still rising fast and multicores are multiplying like
rabbits.

I doubt that it will take another 10 years for 1024Bit to be broken ...
I would rather not bet my momey on any date after 2015...

Christian

Reply to this Message

Bohgosity BumaskiL - 06 Mar 2010 07:04 GMT

> Ok update on state of the art as I perceived it:
> 512 Bit being broken may be 2000
[quoted text clipped - 9 lines]
> transistors are still rising fast and multicores are multiplying like
> rabbits.

Even so, Moore's law states a doubling of price-effectivness every eighteen
months, so over the last twelve years, eight more bits. Comparatively, I see
no point in going beyond 128bits for symmetric keys, because a modern
computer cannot even count to 2^64 in a practical amount of time. A 4Ghz
computer could do 2^32 in one second. The other thirty-two bits amount to
four billion seconds. It's a total wonder that multiplication instructions
only take five cycles on a 32bit machine. So, it is no wonder that the U.S.
government was (or is) suppressing export of symmetric crypto beyond 56bits.

> I doubt that it will take another 10 years for 1024Bit to be broken ...
> I would rather not bet my momey on any date after 2015...
>
> Christian

Zimmerman himself would not predict his art beyond a decade.

Reply to this Message

Christian - 06 Mar 2010 18:53 GMT

Am 06.03.2010 08:04, schrieb Bohgosity BumaskiL:

>> Ok update on state of the art as I perceived it:
>> 512 Bit being broken may be 2000
[quoted text clipped - 18 lines]
> only take five cycles on a 32bit machine. So, it is no wonder that the U.S.
> government was (or is) suppressing export of symmetric crypto beyond 56bits.

primary reason for this as history has shown: they were able to decrypt
56Bit DES simple BruteForce with dedicated hardware made it possible...
doing things in pure hardware / using SIMD processors (graphics cards
for example have them)

my main reason for going not beyond 128 Bit AES in symmetric keys would
rather be that 128Bit is considered more secure than the higher bit
variants currently (at least if you trust in the opinion of Bruce
Schneier for example).

Though reason for this all is also why your assmuption is kind of
unreasonable:
The cryptographic algorithms we are usually using i.e. RSA , AES (, SHA-1)

are broken ...
sure they are only broken on a theoretical level still needing more
computing power than available.. but they all have shown weaknesses
making them attackable under certain conditions...

And history indicates that after a cryptographic primitive gets broken
on theoretical level its rather a question of several years not a
question of several decades until its broken on a practical level.

>> I doubt that it will take another 10 years for 1024Bit to be broken ...
>> I would rather not bet my momey on any date after 2015...
>>
>> Christian
>
> Zimmerman himself would not predict his art beyond a decade.

I bet.. I would not predict.. cryptography is on having some buffer
space between whats currently breakable and what you use... 1024 already
lacks this space with 768 Bit having been broken..

In 2003!!! 7 years ago Shamir published a paper how one could for 10
Million $ build a device(TWIRL) that could break 1024Bit keys within a
year..
so with priceeffectiveness doubling every 18 Months we would be at 40k$
for cracking a RSA key within a year by 2015 (more than half a million
currently -> money a secret service should have i.e. throwing in some
more money to break RSA 1024 bit within a week should already be in the
range of non fiction...)

Though I actually lack the knowledge on cryptography i.e. not folowing
what papers are published.. so this here might all be fiction/inaccurate..
IANAC

...
Christian

Reply to this Message

SSLEngine with DH keyexchange

Free Magazines