[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new second mandatory IPsec cipher

Rodney Thayer wrote:
> 
> We've been talking about declaring a second mandatory to implement cipher,
> or in some way declaring a new second cipher for IPsec. . . .

Good idea (no pun intended :-).

I'm not certain if a second cipher would be a MUST or a SHOULD in the RFC,
though.

[snip]

> What should we use instead?  Well, there are apparently three choices:
> 
> -- DESX
> -- BLOWFISH
> -- CAST-128
> 
> All of these have their advocates.
> 
> DESX (or DES-XEX, or whatever it's called) has some detractors.
> It is hoped that anyone who reads this message and attends Crypto '99
> would look up the discussions that are expected there.
> 
> BLOWFISH has some detractors.  The negative views appear to be of the
> form "it wasn't constructed in a formal manner", or something like that.
> 
> CAST-128 has some detractors.  The negative views appear to be of the
> form "it's too young".
> 
> Now I'm not a cryptographer, and I don't play one on the internet, but I
> want to get those of you that are cryptographers (or play one on the Internet)
> to comment on this.

Playtime? Wheee !

Methinks you can eliminate DES-X as a mandatory cipher.

It is a clever design and apparently strong enough, but if there's some
catastorphic failure in DES (either a remarkable new breakthrough attack
or a relevation that the NSA or KGB or whoever broke it long ago), then
3DES and DES-X both fall too. We cannot afford that risk in a widespread
standardised infrastructure. A secondary cipher should differ greatly
from 3DES.

Also, DES and therefore DES-X tend to be slow in software.

Keeping it as an optional cipher, e.g. for devices with limited resources
but some hardware acceleration for DES, is sensible.

That leaves CAST-128 and Blowfish. These are very similar ciphers.
CAST-128 has a rotation in the round function, and there are plausible
arguments that this adds strength. See RFC 2144 or references in it.

Blowfish takes keys up to 448 bits. It isn't clear that this is a
real advantage over 128.

Other than that, the main difference is in the s-boxes. CAST-128
builds carefully optimised ones in advance. They are published
and must be presumed known to the attacker. Blowfish builds random
s-boxes at runtime, measurably weaker than the CAST ones but unknown
to the attacker.

There are arguments both ways on that, but none that knock holes
in either approach. Likely both ciphers are strong enough. Both
have had quite a bit of analysis with no great weaknesses found.
So for many applications, which to use would be purely a
question of taste.

I don't think it is for IPSEC, though. Blowfish needs extra
setup time on every key change to generate the random s-boxes.
Schneier himself says (p 336 AC II):

  Blowfish is optimised for applications where the key does
  not change often ... not suitable for applications, such
  as packet switching, with frequent key changes...

I think that eliminates it as a required cipher for IPSEC.

Also, since the s-boxes are different for every key, an IPSEC
box using Blowfish has to store 4K bytes of s-box material
per connection. this would be problematic for some.

Conclusion:
CAST-128 is the obvious choice.
Follow-Ups: References: