918231 - key size and secret key size both are 168 for SSL_RSA_WITH_3DES_EDE_CBC_SHA :000A

Status: RESOLVED WONTFIX

(NSS :: Libraries, defect, P5)

Description

[u238590]

Attachment: script to test, it starts selfserv as server and vfyserv as client

I found that "key size" and "secret key size" both are 168 for SSL_RSA_WITH_3DES_EDE_CBC_SHA i.e. :000A. I am expecting "effective key size" to be "112" not "168".

I have used vfyserv utility to test this. It is using NSS API SSL_SecurityStatus.
https://developer.mozilla.org/en-US/docs/NSS/SSL_functions/sslfnc.html#1092805

I tested with two ciphers both have the same value for key size and secret key size :
   bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
   bulk cipher 3DES-EDE-CBC, 168 secret key bits, 168 key bits, status: 1

Expected values :
cipher                     	SYMMETRIC KEY SIZE  EFFECTIVE SYMMETRIC KEY SIZE

for AES and RC4 ciphers given below I both these will be the same 
SSL_RSA_WITH_RC4_128_MD5 	                128 	128
SSL_RSA_WITH_RC4_128_SHA 	                128 	128
TLS_RSA_WITH_AES_128_CBC_SHA             	128 	128
TLS_RSA_WITH_AES_256_CBC_SHA 	                256 	256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 	        256 	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 	        128 	128
TLS_ECDHE_RSA_WITH_RC4_128_SHA 	                128 	128

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 	        256 	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 	        128 	128
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 	        128 	128

But for these 3DES ciphers I am expecting it to be "112" not "168"

SSL_RSA_WITH_3DES_EDE_CBC_SHA 	                168 	112
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      	168 	112
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA           168 	112 

----------------
See http://en.wikipedia.org/wiki/Triple_DES#Security
Triple DES has a 168 bit key size but only 112 bit effective keys size.
For RC4 and AES algorithms, the actual and effective symmetric key sizes are the same.
-----------------

Comment 1

[Wan-Teh Chang]

I think the effective symmetric key size probably only applies to the EXPORT
cipher suites, whose keys are artificially weakened. Bob, do you know?

Comment 2

[u238590]

Julien gave me this link :  
"The "effective key size" we need is also called strength, from NIST SP800-57 .
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
See section 5.6.1 , table 2."

Comment 3

[Wan-Teh Chang]

Attachment: Patch for the requested change

Bob: do you think it is OK to make this change? This patch changes the
|secretKeySize| output of SSL_SecurityStatus from 168 bits to 112 bits.

Meena: as I noted in comment 1, the raw value for the |secretKeySize| output
of SSL_SecurityStatus differs from the raw value for the |keySize| output
only for the EXPORT cipher suites. It seems bad to modify the value returned
in the |secretKeySize| output for Triple DES cipher suites because they are
not EXPORT cipher suites.

However, I found that SSL_SecurityStatus already modifies the values returned
in the |keySize| and |secretKeySize| outputs for DES and Triple DES cipher
suites (to ignore the parity bits in DES keys).

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/sslauth.c&rev=1.20&mark=58,63,97,105-106,109-110#57

So it may be OK to modify the |secretKeySize| output further for Triple
DES cipher suites.

Comment 4

[Wan-Teh Chang]

Attachment: Patch for the requested change, v2

I made a minor change to the patch (to multiply and then divide).