[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike and elliptic curves



Hilarie: Now, how strong should the key exchange for a 3DES
Hilarie: key really be? The effective key strength for 3DES
Hilarie: is 112 bits.  Who chose that number?  It's only a
Hilarie: happenstance, because 56 is too short and the
Hilarie: simplest way to get to anything stronger is to
Hilarie: use 2*56.

Agreed that key sizes should be choosen based upon best known attacks and the
desire to protect data; however, while 112 may have been choosen since it was
next logical step after 56-bits, I see many systems out there advertising
168-bit security. In these cases, the asymettric key sizes needs to correspond
in strength to the symettric key ones or it is simply a marketing ploy. This
will also be readily apparent with aes coming on-line with key strengths of 128,
192, and 256 bits.





"Hilarie Orman" <HORMAN@novell.com> on 12.11.1999 12:58:28

To:   provos@citi.umich.edu, John Harleman/Certicom@Certicom
cc:   ipsec@lists.tislabs.com, jerome@psti.com
Subject:  Re: ike and elliptic curves




If wishes were crypto bits, we'd all have zillion bit keys.

The question of whether or not an IKE group is strong enough
to protect a 3DES key seems to depend on what the overall security
and performance goals are.  The bottom line is that the numbers
used for the Diffie-Hellman computations must be as small as
possible, because the performance is dominated by the cost of
the basic arithmetic operations.  If this weren't such a computationally
costly operation, we'd just use 20K bits for the regular groups and
a few hundred for the elliptic curve groups.  But, it isn't so, and
it is necessary to find just the right balance point.

Now, how strong should the key exchange for a 3DES key really be?
The effective key strength for 3DES is 112 bits.  Who chose that
number?  It's only a happenstance, because 56 is too short
and the simplest way to get to anything stronger is to
use 2*56.  Then comes the bottom line question: is 112 the minimum
requirement for protecting the data?  If it isn't, if 80 or 90 bits
is the security requirement, then a key exchange that matches the
lesser strength is perfectly OK.  And that means that the DH key exchange
can be much faster.

A NRC report of a couple of years ago recommended 90 bits, I believe, as a
reasonable default value for data protection.

I'm more concerned about reports I've heard that some of the elliptic
curve implementations are quite slow. I'm extremely puzzled about how
that could come about, being as there is a reasonable amount of literature
on how to code up fast routines.

Hilarie