Closed Bug 133502 Opened 23 years ago Closed 21 years ago

Enable Fortezza Ciphers

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: KaiE, Assigned: KaiE)

Details

NSS supports Fortezza cipher suites. Nelson suggests: - Mozilla should support those ciphers - The ciphers should NOT be enabled by default - In order to use those ciphers, a user must manally enable them. - Because fortezza ciphers depend on some special pkcs#11 module to be installed, he suggests the UI to enable those ciphers should only be visible if it is installed. Bob, do you know how I can find out whether a fortezza capable pkcs#11 module is installed or not?
Actually, I suggested that the fortezza cyphersuites be disabled when there is no fortezza PKCS#11 module installed, regardless of the user's preference for those ciphersuites. I recommend that the fortezza ciphersuite preferences be enabled by default, but that those preferences are overridden and the ciphersuites disabled when no fortezza PKCS#11 module is installed.
Blocks: sslciphers
I was under the impression that the cipher system on which Fortezza was built has been shown to be weak. There is little to no expected use of Fortezza and it seems to not be a worthwhile thing to spend time on.
The Fortezza device implements the SkipJack encryption algorithm, which has a 90-bit key size (IIRC), and the Fortezza Key Exchange Algorithm (FKEA), a dual Diffie-Hellman system that uses both certified and public key values from both parties. SkipJack was also used in the "clipper chip", which sent both skipjack-encrypted data and also the skip-jack data encryption key, encrypted, in a "Law Enforcement Access Field" or LEAF. The LEAF was shown to be weak, but Fortezza doesn't use it. SkipJack and FKEA were declassified, and their details are now publicly available. There is a software implementation of a Fortezza device in NSS, as a separately loadable PKCS11 module. SkipJack is faster than DES, and has a large key space. I'm not aware that SkipJack has been shown to be significantly weaker than 90 bits, but 90 bits is not as interesting as it was before AES. NSS continues to include the software fortezza PKCS11 module, and NSS's SSL and S/MIME continue to support Fortezza SSL ciphersuites and Fortezza signed and encrypted email. However, there presently is no public client that uses these features. I wish we could either drop Fortezza support in NSS, or have a public client that uses it.
Biham, Biryukov, and Shamir have successfully attacked Skipjack reduced to 31 rounds with Impossible Differentials. I see no reference to breaking full 32 round Skipjack, but the result suggests there isn't much of a safety margin.
Above, I meant to write "both certified and *dynamic* public key values". I think the narrow "safety margin" was a design choice. In any case, the question should be wehther there is any/enough demand to warrant supporting it. I'd guess that there was once, but now is not. Too bad we don't seem to be able to drop Fortezza from NSS. :(
Until there's demonstrated need for these, I'm going to mark WONTFIX.
No longer blocks: sslciphers
Severity: normal → enhancement
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WONTFIX
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.