[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

From: owner-ipsec@lists.tislabs.com
Date: Thu, 15 Jul 1999 10:04:12 -0400 (EDT)

with SMTP id IAA23642 for <ipsec@lists.tislabs.com>; Thu, 15 Jul 1999 08:56:23 -0500 (CDT)
Posted-Date: Thu, 15 Jul 1999 08:56:23 -0500 (CDT)
Message-Id: <4.1.19990715084059.00a00290@mail.visi.com>
X-Sender: schneier@mail.visi.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Thu, 15 Jul 1999 08:50:44 -0500
To: ipsec@lists.tislabs.com
From: Bruce Schneier <schneier@counterpane.com>
Subject: CHoosing a second manditory cipher for IPSec
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

People have forwarded some of this debate to me.  I am not on the IPSec
mailing list, so if you want me to respond to further emails please copy me.

If you can afford to wait a year and a half before choosing a second
manditory cipher, do so.  The AES process is moving along at speed, and a
final winner (or winner) should be chosen sometime in Summer 2000.  Then
you will have a second cipher that has some general consensus of
security--and one that will become a standard--to add to IPSec.

If you have to add a second cipher now, then the list I saw previously is a
good place to start:

   -- CAST-128
   -- BLOWFISH
   -- IDEA
   -- TWOFISH
   -- MARS
   -- (other AES candidates, please feel free to contribute)

I contribute Rijndael.
And someone else mentioned DES-X.

This is a tough list.  On the one hand, it is too early to choose any AES
candidates as a manditory part of IPSec.  If I had to pick one, I would
pick Twofish or RIjndael.  Those are the only two algorithms flexible
enough to be efficient on the variety of platforms (hardware and software)
that IPSec needs to run on.  (Someone said that Rijndael is the fastest AES
candidate on all platforms.  I don't agree with that.  Twofish is, and
Rijndael is second.  We have various tables in the Twofish AES submission
document: http://www.counterpane.com/twofish-paper.html.)

DES-X is philosophically the same as Triple-DES, so I see no reason to add it.

IDEA is patented, and I don't know the current situation with the rights.
Also, recent attacks are getting a bit too close to the full cipher for me.
 And it is very slow compared to other ciphers.

Blowfish and CAST-128 are similar in philosophy.  I prefer Blowfish, which
has the advantage of more analysis and more use.  There are over 100
products that use Blowfish: http://www.counterpane.com/products.html.

Still, neither cipher has had as much analysis as DES and triple-DES.

The question comes down to why IPSec needs a second cipher.  Remember that
any implementation of IPSec will probably be as secure as the weakest of
the two cipher choices (under the assumption that an attacker can force a
choice, or at least on the assumption that the users will have no idea
which cipher to choose).  I think giving users a choice is a bad idea, and
that one strong cipher is better than two strong ciphers.

Wait for the AES process; this is exactly the application that it was
designed for.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Follow-Ups:

Re: your mail

From: jerome@psti.com

CHoosing a second manditory cipher for IPSec

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: starting on asking THE QUESTION
Next by Date: Re: starting on asking THE QUESTION
Prev by thread: No Subject
Next by thread: Re: your mail
Index(es):
- Main
- Thread