Changes between Version 72 and Version 73 of Crypto/CurrentSpecs


Ignore:
Timestamp:
Mar 10, 2018 12:48:24 PM (20 months ago)
Author:
str4d
Comment:

Turn references into anchor links

Legend:

Unmodified
Added
Removed
Modified
  • Crypto/CurrentSpecs

    v72 v73  
    66
    77|| '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
    8 || AES-CBC [8] || 256 || Good [5] ||  See [8] for p/q/g. A good choice due to common support for hardware acceleration??? Really? We don't support hardware acceleration. Never used alone, always with ElG+SessionTag [8] Notes about padding in [8] are incorrect and to be fixed (see [ticket:833 trac ticket]) ||
     8|| AES-CBC [#ref8 [8]] || 256 || Good [#ref5 [5]] ||  See [#ref8 [8]] for p/q/g. A good choice due to common support for hardware acceleration??? Really? We don't support hardware acceleration. Never used alone, always with ElG+SessionTag [#ref8 [8]] Notes about padding in [#ref8 [8]] are incorrect and to be fixed (see [ticket:833 trac ticket]) ||
    99
    1010=== Asymmetric ===
    1111
    1212|| '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
    13 || !ElGamal [8] || 2048 || >Poor [5]???|| We use "short exponent" [8]. See [8] for prime. ||
     13|| !ElGamal [#ref8 [8]] || 2048 || >Poor [#ref5 [5]]???|| We use "short exponent" [#ref8 [8]]. See [#ref8 [8]] for prime. ||
    1414
    1515=== MAC ===
    1616|| '''Cipher''' || '''Security''' || '''Implementability''' || '''Comments''' ||
    17 || HMAC-MD5-128 || Poor [5] || || nonstandard, used in SSU ||
     17|| HMAC-MD5-128 || Poor [#ref5 [5]] || || nonstandard, used in SSU ||
    1818
    1919=== Hashes ===
    2020
    2121|| '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
    22 || SHA256 [8] || 256 || Good [5] || Slow compared to SHA-3. Used everywhere. ||
     22|| SHA256 [#ref8 [8]] || 256 || Good [#ref5 [5]] || Slow compared to SHA-3. Used everywhere. ||
    2323
    2424=== Key Exchange ===
    2525
    2626|| '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
    27 || DH [8] || 2048 ||  ||  Both NTCP and SSU. Uses same prime as ElG [8] ||
     27|| DH [#ref8 [8]] || 2048 ||  ||  Both NTCP and SSU. Uses same prime as ElG [#ref8 [8]] ||
    2828
    2929=== Signatures ===
    3030
    3131|| '''Cipher''' || '''Used lengths''' || '''Security''' || '''Comments'''||
    32 || DSA [8] || 1024 || Poor [5] [10] || We use DSA for all signatures. We do not use ElG as it was deemed too slow. That's why every Dest and RI has two keys, one for crypto and one for signing. Note that we do not support signing key revocation for anything. ||
     32|| DSA [#ref8 [8]] || 1024 || Poor [#ref5 [5]] [#ref10 [10]] || We use DSA for all signatures. We do not use ElG as it was deemed too slow. That's why every Dest and RI has two keys, one for crypto and one for signing. Note that we do not support signing key revocation for anything. ||
    3333
    3434
     
    4747|| Streaming message signing || DSA || || Years and years? || || ditto ||
    4848|| SUD signing || DSA || || Years and years || 99% verif. || Keys are hardcoded in i2p source, and revokable by removing them. New file format required to change algo, proposal at http://zzz.i2p/topics/1351  ||
    49 || Tunnel Build Messages [8] || ElG || RI !EncKey ||  ||  || ||
    50 || NetDB Lookups / Stores [8] || ElG/AES+SessionTag || || Years but... ||  || Only some are encrypted [8] Right now there's no limit on RI key lifetime but we could force a regeneration after a certain amount of time ||
    51 || End-to-End Encryption [8] || ElG/AES+SessionTag || LS !EncKey ||  ||  ||  ||
    52 || Transport key exchange [8] || DH || ||  ||  ||  Both NTCP and SSU ||
    53 || NTCP Transport encryption [8] || AES || DH key ||  ||  ||   ||
    54 || SSU Transport encryption [8] || AES || DH key ||  ||  || With nonstandard HMAC-MD5-128 [8]   ||
    55 || Tunnel encryption hop-by-hop [9] || AES || ||  ||  || See [9] for details   ||
    56 || Hashes [8] || SHA-256 || ||  ||  || Used as the netdb keys and would be very disruptive to change [8]   ||
     49|| Tunnel Build Messages [#ref8 [8]] || ElG || RI !EncKey ||  ||  || ||
     50|| NetDB Lookups / Stores [#ref8 [8]] || ElG/AES+SessionTag || || Years but... ||  || Only some are encrypted [#ref8 [8]] Right now there's no limit on RI key lifetime but we could force a regeneration after a certain amount of time ||
     51|| End-to-End Encryption [#ref8 [8]] || ElG/AES+SessionTag || LS !EncKey ||  ||  ||  ||
     52|| Transport key exchange [#ref8 [8]] || DH || ||  ||  ||  Both NTCP and SSU ||
     53|| NTCP Transport encryption [#ref8 [8]] || AES || DH key ||  ||  ||   ||
     54|| SSU Transport encryption [#ref8 [8]] || AES || DH key ||  ||  || With nonstandard HMAC-MD5-128 [#ref8 [8]]   ||
     55|| Tunnel encryption hop-by-hop [#ref9 [9]] || AES || ||  ||  || See [#ref9 [9]] for details   ||
     56|| Hashes [#ref8 [8]] || SHA-256 || ||  ||  || Used as the netdb keys and would be very disruptive to change [#ref8 [8]]   ||
    5757
    5858
     
    6060
    6161=== Asymmetric ciphers ===
    62 || '''Cipher''' || '''Suggested length''' || '''Speed [6]''' || '''Security''' || '''Implementability''' || '''Comments'''  ||
    63 || [wiki:Crypto/ecdsa EC-DSA] || 256 || Sign.:  9203/s[[BR]]Verif.: 4658/s || Good [5] || Java7 !BouncyCastle || ||
    64 || [wiki:Crypto/ecdsa EC-DSA] || 384 || Sign.:  4791/s[[BR]]Verif.: 1085/s || >Good [5]??? || Java7 !BouncyCastle || ||
    65 || RSA-PKCS!#1 v1.5 || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Poor [5] || || ||
    66 || RSA-PKCS!#1 v1.5 || 3072 || || Decent [5] || || ||
    67 || RSA-PKCS!#1 v1.5 || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Decent [5]??? || || ||
    68 || RSA-PSS || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Decent [5] || || ||
    69 || RSA-PSS || 3072 || || Good [5] || || ||
    70 || RSA-PSS || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Good [5]??? || || ||
    71 || DSA || 160/1024 || Sign.: 8176/s[[BR]]Verif.: 7500/s || Poor [5] || || ||
    72 || DSA || 224/2048[[BR]]256/2048  || Sign.: 2548/s[[BR]]Verif.: 2089/s || >Poor [5]???|| ||
    73 || DSA || 256/3072 ||  || Decent [5] || || ||
     62|| '''Cipher''' || '''Suggested length''' || '''Speed [#ref6 [6]]''' || '''Security''' || '''Implementability''' || '''Comments'''  ||
     63|| [wiki:Crypto/ecdsa EC-DSA] || 256 || Sign.:  9203/s[[BR]]Verif.: 4658/s || Good [#ref5 [5]] || Java7 !BouncyCastle || ||
     64|| [wiki:Crypto/ecdsa EC-DSA] || 384 || Sign.:  4791/s[[BR]]Verif.: 1085/s || >Good [#ref5 [5]]??? || Java7 !BouncyCastle || ||
     65|| RSA-PKCS!#1 v1.5 || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Poor [#ref5 [5]] || || ||
     66|| RSA-PKCS!#1 v1.5 || 3072 || || Decent [#ref5 [5]] || || ||
     67|| RSA-PKCS!#1 v1.5 || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Decent [#ref5 [5]]??? || || ||
     68|| RSA-PSS || 2048 || Sign.: 770/s[[BR]]Verif.: 25184/s || Decent [#ref5 [5]] || || ||
     69|| RSA-PSS || 3072 || || Good [#ref5 [5]] || || ||
     70|| RSA-PSS || 4096 || Sign.: 108/s[[BR]]Verif.: 6757/s || >Good [#ref5 [5]]??? || || ||
     71|| DSA || 160/1024 || Sign.: 8176/s[[BR]]Verif.: 7500/s || Poor [#ref5 [5]] || || ||
     72|| DSA || 224/2048[[BR]]256/2048  || Sign.: 2548/s[[BR]]Verif.: 2089/s || >Poor [#ref5 [5]]???|| ||
     73|| DSA || 256/3072 ||  || Decent [#ref5 [5]] || || ||
    7474|| !ElGamal || 256/2048 || || About the same as DSA-2048 as[[BR]] DSA is based on !ElGamal? || I2P || ||
    7575
     
    8282|| '''Cipher''' || '''Security''' || '''Implementability''' || '''Comments''' ||
    8383|| SHA3(Keccak) || Good enough to be recommended by NIST || || Faster than the SHA-2 family ||
    84 || RIPEMD-160 || Decent [5] || ||
    85 || RIPEMD-320 || ~RIPEMD-160 [7]|| ||
     84|| RIPEMD-160 || Decent [#ref5 [5]] || ||
     85|| RIPEMD-320 || ~RIPEMD-160 [#ref7 [7]]|| ||
    8686
    8787=== MAC ===
    8888|| '''Cipher''' || '''Security''' || '''Implementability''' || '''Comments''' ||
    89 || HMAC || Good [5] || ||  ||
    90 || CMAC || Good [5] || ||  ||
    91 || CBC-MAC-X9.19 || Good [5] || ||  ||
    92 || CBC-MAC-EMAC || Good [5] || ||  ||
     89|| HMAC || Good [#ref5 [5]] || ||  ||
     90|| CMAC || Good [#ref5 [5]] || ||  ||
     91|| CBC-MAC-X9.19 || Good [#ref5 [5]] || ||  ||
     92|| CBC-MAC-EMAC || Good [#ref5 [5]] || ||  ||
    9393
    9494=== Strategy ===
    9595
    96 At first glance, current signing algo (DSA) is the weakest, and signing is far easier to understand and analyze than crypto, so it's probably a good place to start. [8] [10]
     96At first glance, current signing algo (DSA) is the weakest, and signing is far easier to understand and analyze than crypto, so it's probably a good place to start. [#ref8 [8]] [#ref10 [10]]
    9797
    9898
    9999[[BR]][[BR]]
    100 [1] http://www.cryptopp.com/benchmarks.html [[BR]]
    101 [2] http://tools.ietf.org/html/rfc4492 [[BR]]
    102 [3] NIST 2011 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf [[BR]]
    103 [4] http://www.keylength.com/en/compare/ [[BR]]
    104 [5] ECRYPT II 2012 http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf [[BR]]
    105 [6] [wiki:Crypto/OpenSSLBench OpenSSL Benchmark] [[BR]]
    106 [7] http://en.wikipedia.org/wiki/RIPEMD - Citation needed [[BR]]
    107 [8] http://www.i2p2.i2p/how_cryptography and see more references there [[BR]]
    108 [9] http://www.i2p2.i2p/tunnel-alt.html tunnel encryption [[BR]]
    109 [10] http://zzz.i2p/topics/715 DSA replacement [[BR]]
     100[=#ref1 [1]] http://www.cryptopp.com/benchmarks.html [[BR]]
     101[=#ref2 [2]] http://tools.ietf.org/html/rfc4492 [[BR]]
     102[=#ref3 [3]] NIST 2011 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf [[BR]]
     103[=#ref4 [4]] http://www.keylength.com/en/compare/ [[BR]]
     104[=#ref5 [5]] ECRYPT II 2012 http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf [[BR]]
     105[=#ref6 [6]] [wiki:Crypto/OpenSSLBench OpenSSL Benchmark] [[BR]]
     106[=#ref7 [7]] http://en.wikipedia.org/wiki/RIPEMD - Citation needed [[BR]]
     107[=#ref8 [8]] https://geti2p.net/spec/cryptography and see more references there [[BR]]
     108[=#ref9 [9]] https://geti2p.net/en/docs/tunnels/implementation tunnel encryption [[BR]]
     109[=#ref10 [10]] http://zzz.i2p/topics/715 DSA replacement [[BR]]