IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes

IDS> Min_Cipher_Suite and Min_Cipher_Key_Length attributes

Ira McDonald blueroofmusic at gmail.com
Sun Feb 1 13:52:02 EST 2009 

Hi,

Just my two cents, but, I'd urge that either:

(1) Both attributes stay REQUIRED; or
(2) Both attributes are deleted entirely from IDS.

Having said that, the FIRST principal of security
audits is that EVERY network protocol has to be
secured on a device and the weakest security
configured for any of those network protocols is
the security rating of the entire device.

Secure devices do NOT send or receive unsecured
email over SMTP (for example).

MFDs shouldn't claim to be secure if they aren't.

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music/High North Inc
email: blueroofmusic at gmail.com
winter:
  579 Park Place  Saline, MI  48176
  734-944-0094
summer:
  PO Box 221  Grand Marais, MI 49839
  906-494-2434



On Sat, Jan 31, 2009 at 7:08 PM, Randy Turner <rturner at amalfisystems.com> wrote:
>
> I think so....when you actually code TLS connections using OpenSSL, you can
> specify a minimum cipher suite to be negotiated...only the cipher suite
> enumeration is specified, so I think it's ok to use just the enumerations.
> R.
> On Jan 31, 2009, at 4:03 PM, Brian Smithson wrote:
>
> Thanks, Randy.
>
> So is our key length attribute redundant?
>
> --
> Regards,
> Brian Smithson
> PM, Security Research
> PMP, CISSP, CISA, ISO 27000 PA
> Advanced Imaging and Network Technologies
> Ricoh Americas Corporation
> (408)346-4435
>
> Randy Turner wrote:
>
> Hi Brian,
> I think the IANA registry actually has the key length specified as part of
> the suite enumeration.
> Examples are:
> TLS_RSA_WITH_AES_128_CBC_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA256
> There are other suites that don't specify numeric key sizes, but in these
> cases, the algorithm itself
> (3DES for example) work with a specific key size that doesn't vary.
> In this case, we may be able to just specify that we're talking about a
> minimum suite, with a reference to RFC 5246 and
> the IANA registry itself.
> Randy
>
> On Jan 30, 2009, at 6:26 PM, Brian Smithson wrote:
>
> I am still wondering how these two attributes can be used in practice. I
> know that we can uniquely identify cipher suites using the IANA
> registry, but is there an authoritative source to specify that one suite
> is "more minimum" than another? And if you consider different key
> lengths that might be acceptable for a given suite, then can we really
> say that suite X is more minimum than suite Y even if an HCD supports a
> relatively long key length for X but only supports a relatively short
> one for Y?
>
> --
> Regards,
> Brian Smithson
> PM, Security Research
> PMP, CISSP, CISA, ISO 27000 PA
> Advanced Imaging and Network Technologies
> Ricoh Americas Corporation
> (408)346-4435
>
>
>
>
>

More information about the Ids mailing list