[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: More on a second IPSec algorithm
It seems I'm missing some of the messages in this thread, or the thread was
renamed too many times, but while I agree that Bruce is correct on a theoretic
basis, there are a few practical reasons why having more than one "mandatory
to implement" cipher is good:
A) Some vendors are resistant to mandating 3DES because of speed. Perry
and Phil and I pushed 3DES pretty hard 4 years ago, but lost the battle
on the speed issue. DESX is virtually the same speed as DES. We didn't
push DESX 4 years ago, as it had no analysis. Now, I think DESX is the
obvious choice for a quick update. Easiest to implement, with no speed
changes that a user (or marketer) might notice.
B) Mandating that both DESX and 3DES are in every product allows the
customer to choose the speed, finessing the vendor complaint. The core
code is the same, so it is still easy to implement.
C) Having more than one algorithm tests the selection machinery on a
regular basis. This implementation issue is very important. Even
when a product works the first time around, later changes can break
the implementation. Exercise the code paths.
D) Having more than one algorithm tests the operational configuration
machinery. Again, operational issues are very important. Of course,
this same consideration encourages the number of choices to be small,
probably only 2 or 3. But, as time goes on, there will be changes,
and that means we have to be prepared to configure them. It is a lot
easier to change a policy data file than have a deployment flag day.
E) Having more than one cipher available inhibits analysis. The cipher
in use can be hidden, requiring more effort for finding and tracking
important data. Heterogeneity(?) may make it impractical. This was
a design feature of Photuris, and is still optional in IKE/ISAKMP.
F) Having more than one cipher simply instills confidence, for users,
the naive press, and overblown marketing. This is another reason
for adding a non-DES cipher. It may not fix anything in and of itself,
but the mere presence says "we've covered all the bases".
I wish that the working group had followed our advice in 1995, and allowed
both DES and 3DES to be Proposed Standard. Then, we wouldn't be in the
quandary we are in today.
Bruce Schneier wrote:
> The NSA does not build encryption equipment with a hot-spare algorithm
> in it. It makes no sense to do so.
>
The NSA still has multiple fielded algorithms. They just have more control
over which are in use and where. We don't have that luxury in the Internet.
Whenever I work on protocol design, I think implementation and operation
are incredibly important! All the best intentions in the world are
worthless without deployment.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Follow-Ups:
References: