Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Version 72 and Version 73 of Crypto/CurrentSpecs

Timestamp:: Mar 10, 2018 12:48:24 PM (13 months ago)
Author:: str4d
Comment:: Turn references into anchor links

Legend:

: Unmodified
: Added
: Removed
: Modified

Crypto/CurrentSpecs

-                      v72
+                      v73
 || '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
 || AES-CBC [8] || 256 || Good [5] ||  See [8] for p/q/g. A good choice due to common support for hardware acceleration??? Really? We don't support hardware acceleration. Never used alone, always with ElG+SessionTag [8] Notes about padding in [8] are incorrect and to be fixed (see [ticket:833 trac ticket]) ||
+|| AES-CBC [#ref8 [8]] || 256 || Good [#ref5 [5]] ||  See [#ref8 [8]] for p/q/g. A good choice due to common support for hardware acceleration??? Really? We don't support hardware acceleration. Never used alone, always with ElG+SessionTag [#ref8 [8]] Notes about padding in [#ref8 [8]] are incorrect and to be fixed (see [ticket:833 trac ticket]) ||
 === Asymmetric ===
 || '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
 || !ElGamal [8] || 2048 || >Poor [5]???|| We use "short exponent" [8]. See [8] for prime. ||
+|| !ElGamal [#ref8 [8]] || 2048 || >Poor [#ref5 [5]]???|| We use "short exponent" [#ref8 [8]]. See [#ref8 [8]] for prime. ||
 === MAC ===
 || '''Cipher''' || '''Security''' || '''Implementability''' || '''Comments''' ||
 || HMAC-MD5-128 || Poor [5] || || nonstandard, used in SSU ||
+|| HMAC-MD5-128 || Poor [#ref5 [5]] || || nonstandard, used in SSU ||
 === Hashes ===
 || '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
 || SHA256 [8] || 256 || Good [5] || Slow compared to SHA-3. Used everywhere. ||
+|| SHA256 [#ref8 [8]] || 256 || Good [#ref5 [5]] || Slow compared to SHA-3. Used everywhere. ||
 === Key Exchange ===
 || '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
 || DH [8] || 2048 ||  ||  Both NTCP and SSU. Uses same prime as ElG [8] ||
+|| DH [#ref8 [8]] || 2048 ||  ||  Both NTCP and SSU. Uses same prime as ElG [#ref8 [8]] ||
 === Signatures ===
 || '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
 || DSA [8] || 1024 || Poor [5] [10] || We use DSA for all signatures. We do not use ElG as it was deemed too slow. That's why every Dest and RI has two keys, one for crypto and one for signing. Note that we do not support signing key revocation for anything. ||
+|| DSA [#ref8 [8]] || 1024 || Poor [#ref5 [5]] [#ref10 [10]] || We use DSA for all signatures. We do not use ElG as it was deemed too slow. That's why every Dest and RI has two keys, one for crypto and one for signing. Note that we do not support signing key revocation for anything. ||
 …
 || Streaming message signing || DSA || || Years and years? || || ditto ||
 || SUD signing || DSA || || Years and years || 99% verif. || Keys are hardcoded in i2p source, and revokable by removing them. New file format required to change algo, proposal at http://zzz.i2p/topics/1351  ||
 || Tunnel Build Messages [8] || ElG || RI !EncKey ||  ||  || ||
 || NetDB Lookups / Stores [8] || ElG/AES+SessionTag || || Years but... ||  || Only some are encrypted [8] Right now there's no limit on RI key lifetime but we could force a regeneration after a certain amount of time ||
 || End-to-End Encryption [8] || ElG/AES+SessionTag || LS !EncKey ||  ||  ||  ||
 || Transport key exchange [8] || DH || ||  ||  ||  Both NTCP and SSU ||
 || NTCP Transport encryption [8] || AES || DH key ||  ||  ||   ||
 || SSU Transport encryption [8] || AES || DH key ||  ||  || With nonstandard HMAC-MD5-128 [8]   ||
 || Tunnel encryption hop-by-hop [9] || AES || ||  ||  || See [9] for details   ||
 || Hashes [8] || SHA-256 || ||  ||  || Used as the netdb keys and would be very disruptive to change [8]   ||
+|| Tunnel Build Messages [#ref8 [8]] || ElG || RI !EncKey ||  ||  || ||
+|| NetDB Lookups / Stores [#ref8 [8]] || ElG/AES+SessionTag || || Years but... ||  || Only some are encrypted [#ref8 [8]] Right now there's no limit on RI key lifetime but we could force a regeneration after a certain amount of time ||
+|| End-to-End Encryption [#ref8 [8]] || ElG/AES+SessionTag || LS !EncKey ||  ||  ||  ||
+|| Transport key exchange [#ref8 [8]] || DH || ||  ||  ||  Both NTCP and SSU ||
+|| NTCP Transport encryption [#ref8 [8]] || AES || DH key ||  ||  ||   ||
+|| SSU Transport encryption [#ref8 [8]] || AES || DH key ||  ||  || With nonstandard HMAC-MD5-128 [#ref8 [8]]   ||
+|| Tunnel encryption hop-by-hop [#ref9 [9]] || AES || ||  ||  || See [#ref9 [9]] for details   ||
+|| Hashes [#ref8 [8]] || SHA-256 || ||  ||  || Used as the netdb keys and would be very disruptive to change [#ref8 [8]]   ||
 …
 === Asymmetric ciphers ===
 || '''Cipher''' || '''Suggested length''' || '''Speed [6]''' || '''Security''' || '''Implementability''' || '''Comments'''  ||
 || [wiki:Crypto/ecdsa EC-DSA] || 256 || Sign.:  9203/s[[BR]]Verif.: 4658/s || Good [5] || Java7 !BouncyCastle || ||
 || [wiki:Crypto/ecdsa EC-DSA] || 384 || Sign.:  4791/s[[BR]]Verif.: 1085/s || >Good [5]??? || Java7 !BouncyCastle || ||
 || RSA-PKCS!#1 v1.5 || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Poor [5] || || ||
 || RSA-PKCS!#1 v1.5 || 3072 || || Decent [5] || || ||
 || RSA-PKCS!#1 v1.5 || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Decent [5]??? || || ||
 || RSA-PSS || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Decent [5] || || ||
 || RSA-PSS || 3072 || || Good [5] || || ||
 || RSA-PSS || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Good [5]??? || || ||
 || DSA || 160/1024 || Sign.: 8176/s[[BR]]Verif.: 7500/s || Poor [5] || || ||
 || DSA || 224/2048[[BR]]256/2048  || Sign.: 2548/s[[BR]]Verif.: 2089/s || >Poor [5]???|| ||
 || DSA || 256/3072 ||  || Decent [5] || || ||
+|| '''Cipher''' || '''Suggested length''' || '''Speed [#ref6 [6]]''' || '''Security''' || '''Implementability''' || '''Comments'''  ||
+|| [wiki:Crypto/ecdsa EC-DSA] || 256 || Sign.:  9203/s[[BR]]Verif.: 4658/s || Good [#ref5 [5]] || Java7 !BouncyCastle || ||
+|| [wiki:Crypto/ecdsa EC-DSA] || 384 || Sign.:  4791/s[[BR]]Verif.: 1085/s || >Good [#ref5 [5]]??? || Java7 !BouncyCastle || ||
+|| RSA-PKCS!#1 v1.5 || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Poor [#ref5 [5]] || || ||
+|| RSA-PKCS!#1 v1.5 || 3072 || || Decent [#ref5 [5]] || || ||
+|| RSA-PKCS!#1 v1.5 || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Decent [#ref5 [5]]??? || || ||
+|| RSA-PSS || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Decent [#ref5 [5]] || || ||
+|| RSA-PSS || 3072 || || Good [#ref5 [5]] || || ||
+|| RSA-PSS || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Good [#ref5 [5]]??? || || ||
+|| DSA || 160/1024 || Sign.: 8176/s[[BR]]Verif.: 7500/s || Poor [#ref5 [5]] || || ||
+|| DSA || 224/2048[[BR]]256/2048  || Sign.: 2548/s[[BR]]Verif.: 2089/s || >Poor [#ref5 [5]]???|| ||
+|| DSA || 256/3072 ||  || Decent [#ref5 [5]] || || ||
 || !ElGamal || 256/2048 || || About the same as DSA-2048 as[[BR]] DSA is based on !ElGamal? || I2P || ||
 …
 || '''Cipher''' || '''Security''' || '''Implementability''' || '''Comments''' ||
 || SHA3(Keccak) || Good enough to be recommended by NIST || || Faster than the SHA-2 family ||
 || RIPEMD-160 || Decent [5] || ||
 || RIPEMD-320 || ~RIPEMD-160 [7]|| ||
+|| RIPEMD-160 || Decent [#ref5 [5]] || ||
+|| RIPEMD-320 || ~RIPEMD-160 [#ref7 [7]]|| ||
 === MAC ===
 || '''Cipher''' || '''Security''' || '''Implementability''' || '''Comments''' ||
 || HMAC || Good [5] || ||  ||
 || CMAC || Good [5] || ||  ||
 || CBC-MAC-X9.19 || Good [5] || ||  ||
 || CBC-MAC-EMAC || Good [5] || ||  ||
+|| HMAC || Good [#ref5 [5]] || ||  ||
+|| CMAC || Good [#ref5 [5]] || ||  ||
+|| CBC-MAC-X9.19 || Good [#ref5 [5]] || ||  ||
+|| CBC-MAC-EMAC || Good [#ref5 [5]] || ||  ||
 === Strategy ===
 At first glance, current signing algo (DSA) is the weakest, and signing is far easier to understand and analyze than crypto, so it's probably a good place to start. [8] [10]
+At first glance, current signing algo (DSA) is the weakest, and signing is far easier to understand and analyze than crypto, so it's probably a good place to start. [#ref8 [8]] [#ref10 [10]]
 [[BR]][[BR]]
 [1] http://www.cryptopp.com/benchmarks.html [[BR]]
 [2] http://tools.ietf.org/html/rfc4492 [[BR]]
 [3] NIST 2011 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf [[BR]]
 [4] http://www.keylength.com/en/compare/ [[BR]]
 [5] ECRYPT II 2012 http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf [[BR]]
 [6] [wiki:Crypto/OpenSSLBench OpenSSL Benchmark] [[BR]]
 [7] http://en.wikipedia.org/wiki/RIPEMD - Citation needed [[BR]]
 [8] http://www.i2p2.i2p/how_cryptography and see more references there [[BR]]
 [9] http://www.i2p2.i2p/tunnel-alt.html tunnel encryption [[BR]]
 [10] http://zzz.i2p/topics/715 DSA replacement [[BR]]
+[=#ref1 [1]] http://www.cryptopp.com/benchmarks.html [[BR]]
+[=#ref2 [2]] http://tools.ietf.org/html/rfc4492 [[BR]]
+[=#ref3 [3]] NIST 2011 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf [[BR]]
+[=#ref4 [4]] http://www.keylength.com/en/compare/ [[BR]]
+[=#ref5 [5]] ECRYPT II 2012 http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf [[BR]]
+[=#ref6 [6]] [wiki:Crypto/OpenSSLBench OpenSSL Benchmark] [[BR]]
+[=#ref7 [7]] http://en.wikipedia.org/wiki/RIPEMD - Citation needed [[BR]]
+[=#ref8 [8]] https://geti2p.net/spec/cryptography and see more references there [[BR]]
+[=#ref9 [9]] https://geti2p.net/en/docs/tunnels/implementation tunnel encryption [[BR]]
+[=#ref10 [10]] http://zzz.i2p/topics/715 DSA replacement [[BR]]