[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More on a second IPSec algorithm



At 03:19 PM 7/17/99 -0400, William Allen Simpson wrote:

Sorry I was gone for a few days...

>It seems I'm missing some of the messages in this thread, or the thread was
>renamed too many times, but while I agree that Bruce is correct on a theoretic
>basis, there are a few practical reasons why having more than one "mandatory
>to implement" cipher is good:
>
> A) Some vendors are resistant to mandating 3DES because of speed.  Perry
>    and Phil and I pushed 3DES pretty hard 4 years ago, but lost the battle
>    on the speed issue.  DESX is virtually the same speed as DES.  We didn't
>    push DESX 4 years ago, as it had no analysis.  Now, I think DESX is the
>    obvious choice for a quick update.  Easiest to implement, with no speed
>    changes that a user (or marketer) might notice.

Speed is the paramount item.  DES was slow enough.  3DES is so much slower.
 If we want serious penetration, we MUST pay attention to speed.  I am not
so concerned for those big gateway boxes with OCn interfaces.  In the end
they lose anyway.  Rather small end systens.  cell phones and PDAs.  Hubs
(At chrysler we use to shut off ports where we suspected a user had stolen
someone elses IP address.  we were only wrong twice, but this is a great
DOS), assembly robots, etc.

When you drop DES you make a bad situation much worse.

> B) Mandating that both DESX and 3DES are in every product allows the
>    customer to choose the speed, finessing the vendor complaint.  The core
>    code is the same, so it is still easy to implement.

true

> C) Having more than one algorithm tests the selection machinery on a
>    regular basis.  This implementation issue is very important.  Even
>    when a product works the first time around, later changes can break
>    the implementation.  Exercise the code paths.

we still see this problem in the lab.

> D) Having more than one algorithm tests the operational configuration
>    machinery.  Again, operational issues are very important.  Of course,
>    this same consideration encourages the number of choices to be small,
>    probably only 2 or 3.  But, as time goes on, there will be changes,
>    and that means we have to be prepared to configure them.  It is a lot
>    easier to change a policy data file than have a deployment flag day.

again you see things like this in the lab.  pity the deployer.

> F) Having more than one cipher simply instills confidence, for users,
>    the naive press, and overblown marketing.  This is another reason
>    for adding a non-DES cipher.  It may not fix anything in and of itself,
>    but the mere presence says "we've covered all the bases".

All too aware of this 'reality'.

>I wish that the working group had followed our advice in 1995, and allowed
>both DES and 3DES to be Proposed Standard.  Then, we wouldn't be in the
>quandary we are in today.

Yes we would, as we are advocating dropping DES.  3DES is not an equivalent
replacement that addresses the weakness of DES (ie brute strength attack).


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com


References: