RFC2440

[ Contents ]

13. Security Considerations

   As with any technology involving cryptography, you should check the
   current literature to determine if any algorithms used here have been
   found to be vulnerable to attack.

   This specification uses Public Key Cryptography technologies.
   Possession of the private key portion of a public-private key pair is
   assumed to be controlled by the proper party or parties.

   Certain operations in this specification involve the use of random
   numbers.  An appropriate entropy source should be used to generate
   these numbers.  See RFC 1750.

   The MD5 hash algorithm has been found to have weaknesses (pseudo-
   collisions in the compress function) that make some people deprecate
   its use.  They consider the SHA-1 algorithm better.

   Many security protocol designers think that it is a bad idea to use a
   single key for both privacy (encryption) and integrity (signatures).
   In fact, this was one of the motivating forces behind the V4 key
   format with separate signature and encryption keys. If you as an
   implementor promote dual-use keys, you should at least be aware of
   this controversy.

   The DSA algorithm will work with any 160-bit hash, but it is
   sensitive to the quality of the hash algorithm, if the hash algorithm
   is broken, it can leak the secret key. The Digital Signature Standard
   (DSS) specifies that DSA be used with SHA-1.  RIPEMD-160 is
   considered by many cryptographers to be as strong. An implementation
   should take care which hash algorithms are used with DSA, as a weak
   hash can not only allow a signature to be forged, but could leak the
   secret key. These same considerations about the quality of the hash
   algorithm apply to Elgamal signatures.

   If you are building an authentication system, the recipient may
   specify a preferred signing algorithm. However, the signer would be
   foolish to use a weak algorithm simply because the recipient requests
   it.

   Some of the encryption algorithms mentioned in this document have
   been analyzed less than others.  For example, although CAST5 is
   presently considered strong, it has been analyzed less than Triple-
   DES. Other algorithms may have other controversies surrounding them.

   Some technologies mentioned here may be subject to government control
   in some countries.

HTML conversion and comments on this are RFC are Copyright (c) 1998 Werner Koch, Remscheider Str. 22, 40215 Düsseldorf, Germany. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved. See here for copyright information on the RFC itself.

Updated: 1999-09-30 wkoch