[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More on a second IPSec algorithm

To: Bruce Schneier <schneier@counterpane.com>
Subject: Re: More on a second IPSec algorithm
From: William Allen Simpson <wsimpson@greendragon.com>
Date: Sat, 17 Jul 1999 15:19:45 -0400
CC: ipsec@lists.tislabs.com
References: <4.1.19990715161920.00a04930@mail.visi.com> <4.1.19990716101655.00a1a480@mail.visi.com>
Sender: owner-ipsec@lists.tislabs.com

It seems I'm missing some of the messages in this thread, or the thread was
renamed too many times, but while I agree that Bruce is correct on a theoretic
basis, there are a few practical reasons why having more than one "mandatory
to implement" cipher is good:

 A) Some vendors are resistant to mandating 3DES because of speed.  Perry
    and Phil and I pushed 3DES pretty hard 4 years ago, but lost the battle
    on the speed issue.  DESX is virtually the same speed as DES.  We didn't
    push DESX 4 years ago, as it had no analysis.  Now, I think DESX is the
    obvious choice for a quick update.  Easiest to implement, with no speed
    changes that a user (or marketer) might notice.

 B) Mandating that both DESX and 3DES are in every product allows the
    customer to choose the speed, finessing the vendor complaint.  The core
    code is the same, so it is still easy to implement.

 C) Having more than one algorithm tests the selection machinery on a
    regular basis.  This implementation issue is very important.  Even
    when a product works the first time around, later changes can break
    the implementation.  Exercise the code paths.

 D) Having more than one algorithm tests the operational configuration
    machinery.  Again, operational issues are very important.  Of course,
    this same consideration encourages the number of choices to be small,
    probably only 2 or 3.  But, as time goes on, there will be changes,
    and that means we have to be prepared to configure them.  It is a lot
    easier to change a policy data file than have a deployment flag day.

 E) Having more than one cipher available inhibits analysis.  The cipher
    in use can be hidden, requiring more effort for finding and tracking
    important data.  Heterogeneity(?) may make it impractical.  This was
    a design feature of Photuris, and is still optional in IKE/ISAKMP.  

 F) Having more than one cipher simply instills confidence, for users,
    the naive press, and overblown marketing.  This is another reason
    for adding a non-DES cipher.  It may not fix anything in and of itself,
    but the mere presence says "we've covered all the bases".

I wish that the working group had followed our advice in 1995, and allowed
both DES and 3DES to be Proposed Standard.  Then, we wouldn't be in the
quandary we are in today.


Bruce Schneier wrote:
> The NSA does not build encryption equipment with a hot-spare algorithm
> in it.  It makes no sense to do so.
>
The NSA still has multiple fielded algorithms.  They just have more control
over which are in use and where.  We don't have that luxury in the Internet.

Whenever I work on protocol design, I think implementation and operation
are incredibly important!  All the best intentions in the world are
worthless without deployment.

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

Follow-Ups:

Re: More on a second IPSec algorithm

From: John Shriver <jas@shiva.com>

Re: More on a second IPSec algorithm

From: Robert Moskowitz <rgm-sec@htt-consult.com>

Re: More on a second IPSec algorithm

From: Bruce Schneier <schneier@counterpane.com>

References:

More on a second IPSec algorithm

From: Bruce Schneier <schneier@counterpane.com>

Prev by Date: Re: new second mandatory IPsec cipher
Next by Date: Re: starting on asking THE QUESTION
Prev by thread: More on a second IPSec algorithm
Next by thread: Re: More on a second IPSec algorithm
Index(es):
- Main
- Thread