No recognition of DSA and ECC key strength

Question

No recognition of DSA and ECC key strength

Closed this issue 9 years ago · 10 comments

Cipherscan doesn't find my ECDSA ECC prime256v1 with SHA-512 certificate to be very secure. While I have my own CA, which contributes to some of the warnings, it seems to only recognize RSA key strength in both cipherscan and analyze.py. I think that 256-bit of my certificate's curve is plenty strong.

In the output of cipherscan, the 256 on the last line is in red (there is also no mention of the SHA512 cipher, but I'm not worried about that):

prio  ciphersuite                    protocols  pfs                 curves
1     ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2    ECDH,P-256,256bits  prime256v1
2     ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2    ECDH,P-256,256bits  prime256v1

Certificate: untrusted, 256 bits, sha512WithRSAEncryption signature

In the analyze.py output "things that are bad" section:

* don't use a public key smaller than 2048 bits

Answer 1 · 2015-11-17T14:41:45.000Z

the cipherscan issue is a mistake on my part, pull #107 should fix that

but analyze.py rejecting them is rather correct - the recommended configuration still requires use of RSA certificates, ECDSA being allowed in addition not instead of RSA

unless we want to change that for the Modern level, @jvehent ?

Answer 2 · 2015-11-17T15:41:03.000Z

@tomato42 I'm not sure what you mean by "in addition" to RSA. At least as I'm aware, you can only use one authentication key at a time (RSA or DSA or EDSA).

Answer 3 · 2015-11-17T20:29:55.000Z

No, the server can have multiple certificates, presenting to the client only the ones that are most desired by client, the protocol was intentionally designed this way. Not all web servers support it though (e.g. Apache does, nginx doesn't, unless they added it in past few months...).

Answer 4 · 2015-11-17T20:38:11.000Z

@DaAwesomeP scan https://stackoverflow.com for an example

Answer 5 · 2015-11-19T13:55:07.000Z

Fixed in #107

Answer 6 · 2015-11-20T03:23:12.000Z

Well, the "256 bits" is in green now (yay), but there's still another problem.

It still says don't use a public key smaller than 2048 bits. This needs to be way more specific. There are multiple problems that it is pointing out. It is saying that the server does not reach the minimum bits of RSA enven though there isn't RSA at all. I suspect that it might not be testing for RSA vs. DSA but is instead just looking at the key size regardless. On the server that I am testing there is only ECDSA enabled. It should instead point out that there is a lack of an RSA key, and then judges separately the strength of the DSA key.

Answer 7 · 2015-11-20T13:22:28.000Z

yes, I agree (note that ECDSA and DSA are two different cryptosystems, and you should not use DSA at all)

@jvehent you haven't answered #106 (comment)

Answer 8 · 2015-11-20T14:04:19.000Z

Ha, right, I skip over it. There is a rework of the modern level in progress, and we'll most likely prefer ECDSA over RSA soon. mozilla/server-side-tls#97

Answer 9 · 2015-11-20T14:07:36.000Z

@jvehent but the question are "Will we prefer ECDSA instead of RSA? Will we make RSA support optional at the Modern level?"

Answer 10 · 2015-11-20T14:08:46.000Z

It will be recommended to use an ECDSA cert, but a RSA cert will also be fine. It's more of an incentive than a hard recommendation. So yes, support will be optional.