[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Diffie-Hellman (note by Hugo)
At 2:57pm 12/12/94 -0500, wrote:
>I agree with Hugo. The requirement of `perfect forward secrecy' is non
>trivial and does not come for free.
I agree that it is not free, but in my experience, it is not impossible to
implement now and will be less costly to do so in the future. 2 cases
illustrate this, I hope, without causing lotsa flames. (Be polite.)
Ignoring the issue of `perfect forward secrecy', I would like to talk about
D-H and RSA computing requirements.
1, Computer power is exceeds 10s of MIPs in most platforms (including
routers) and is doubling every 18 months. RSA and D-H should be executable
in the order of seconds in a background mode. Since creation time of SAIDs
can be correlated to the length that a SAID exists, then the cost of
creation can be amortized over the SAID lifetime and the delay is present
only when the first connection exists.
2. -Hardware- that executes large modular arithmetic exists on security
processor chips (<$20), smart cards (in the $30 to $50 range) and PCMCIA
cards ($100 to $200). Each of these engines are as fast as the 25MIP RISC
processors today.
3. Over the lifetime of a standard (10 years or so), something that is
marginal because it is processor intensive now, and will be not at all too
expensive in the future. This is better than a standard that is just fine
now and not enough (compared to feasable other algorithms) in the future.
In summary, I would argue that D-H can be implemented on existing platforms
today and that there is no good -long term reason- not to use it. (Also,
there is no reason that there can not be more than 1 key management style.)
Jim
----------------------
James P Hughes <hughes@hughes.network.com>
Key fingerprint = 68 E7 D5 75 3C 88 86 71 D4 34 36 C3 8E DD 48 17
Follow-Ups: