Monthly Archives: April 2014

Simplex C4FM QSOs

Tonight some members of the Calvert Amateur Radio Association met on 146.580MHz to test out simplex range of narrow mode C4FM as seen in the new Yaesu radios.  Five stations got into a round table discussion, all within about ten miles of my station.  I haven’t purchased anything other than the FT-1DR (handheld) so I’m only running 5 watts and am using a 2m j-pole antenna up around 40 feet.

There is talk about turning the repeater into a fully functioning digital repeater (obviously keeping the ability to utilize analog transmissions as well).  When that happens I’m sure my coverage area will increase dramatically.

256 Bits of Security

This is an incomplete discussion of SSL/TLS authentication and encryption.  This post only goes into RSA and does not discuss DHE, PFS, elliptical, or other mechanisms.

In a previous post I created an 15,360-bit RSA key and timed how long it took to create the key.  Some may have thought that was some sort of stunt to check processor speed.  I mean, who needs an RSA key of such strength?  Well, it turns out that if you actually need 256 bits of security then you’ll actually need an RSA key of this size.

According to NIST (SP 800-57, Part 1, Rev 3), to achieve 256 bits of security you need an RSA key of at least 15,360 bits to protect the symmetric 256-bit cipher that’s being used to secure the communications (SSL/TLS).  So what does the new industry-standard RSA key size of 2048 bits buy you?  According to the same document that 2048-bit key buys you 112 bits of security.  Increasing the bit strength to 3072 will bring you up to the 128 bits that most people expect to be the minimum protection.  And this is assuming that the certificate and the certificate chain are all signed using a SHA-2 algorithm (SHA-1 only gets you 80 60 bits of security when used for digital signatures and hashes).

So what does this mean for those websites running AES-256 or CAMELLIA-256 ciphers?  They are likely wasting processor cycles and not adding to the overall security of the circuit.  I’ll make two examples of TLS implementations in the wild.

First, we’ll look at  This website is protected using a 2048-bit RSA certificate, signed using SHA256, and using AES-128 cipher.  This represents 112 bits of security because of the limitation of the 2048-bit key.  The certificate is properly chained back to the GoDaddy CA which has a root and intermediate certificates that are all 2048 bits and signed using SHA-256.  Even though there is a reduced security when using the 2048-bit key, it’s likely more efficient to use the AES-128 cipher than any other due to chip accelerations that are typically found in computers now days.

Next we’ll look at one of my domains:  This website is protected using a 2048-bit RSA certifcate, signed using SHA-1, and using CAMELLIA-256 cipher.  This represents 80 60 bits of security due to the limitation of the SHA-1 signature used on the certificate and the CA and intermediate certificates from AddTrust and COMODO CA.  My hosting company uses both the RC4 cipher and the CAMELLIA-256 cipher.  In this case the CAMELLIA-256 cipher is a waste of processor since the certificates used aren’t nearly strong enough to support such encryption.  I block RC4 in my browser as RC4 is no longer recommended to protect anything.  I’m not really sure exactly how much security you’ll get from using RC4 but I suspect it’s less than SHA-1.

So what to do?  Well, if system administrators are concerned with performance then using a 128-bit cipher (like AES-128) is a good idea.  For those that are concerned with security, using a 3072-bit RSA key (at a minimum) will give you 128 bits of security.  If you feel you need more bits of security than 128 then generating a solid, large RSA key is the first step.  Deciding how many bits of security you need all depends on how long you want the information to be secure.  But that’s a post for another day.

Five new DXCC entities in the log

Since moving to Calvert County and getting my Carolina Windom up (radiating East-West) I’ve added five new DXCC entities to my logs:

  1. Kuwait – 9K2WA – 20m SSB
  2. Wallis & Futuna Islands – FW5JJ – 17m CW
  3. San Andres & Providencia – 5J0X – 10m SSB and 10m CW
  4. Kazakhstan – UN1L – 15m RTTY
  5. American Samoa – KH8/DL6JGN – 12m CW

I guess my antenna is up high enough!  I’ll keep watching the cluster and grabbing what I can.  I’m also working towards my SKCC Centurion award and have been adding QSOs to my list.  More on this later.