Re: ike and elliptic curves

["Hilarie Orman" <HORMAN@novell.com>]

If wishes were crypto bits, we'd all have zillion bit keys.

The question of whether or not an IKE group is strong enough
to protect a 3DES key seems to depend on what the overall security
and performance goals are.  The bottom line is that the numbers
used for the Diffie-Hellman computations must be as small as
possible, because the performance is dominated by the cost of
the basic arithmetic operations.  If this weren't such a computationally
costly operation, we'd just use 20K bits for the regular groups and
a few hundred for the elliptic curve groups.  But, it isn't so, and
it is necessary to find just the right balance point.

Now, how strong should the key exchange for a 3DES key really be?
The effective key strength for 3DES is 112 bits.  Who chose that
number?  It's only a happenstance, because 56 is too short 
and the simplest way to get to anything stronger is to
use 2*56.  Then comes the bottom line question: is 112 the minimum
requirement for protecting the data?  If it isn't, if 80 or 90 bits
is the security requirement, then a key exchange that matches the
lesser strength is perfectly OK.  And that means that the DH key exchange
can be much faster.

A NRC report of a couple of years ago recommended 90 bits, I believe, as a
reasonable default value for data protection. 

I'm more concerned about reports I've heard that some of the elliptic
curve implementations are quite slow. I'm extremely puzzled about how
that could come about, being as there is a reasonable amount of literature
on how to code up fast routines. 

Hilarie

---

• Prev by Date: Re: Some queries regarding IP security
• Next by Date: Re: ike and elliptic curves
• Prev by thread: Re: ike and elliptic curves
• Next by thread: Re: ike and elliptic curves
• Index(es):
  • Main
  • Thread