[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AES draft query
At 10:05 PM 3/17/00 -0800, EKR wrote:
>I disagree with this position, for two reasons:
It's not a "position", it's an explanation about why the situation might
happen.
>1. It's inefficient from a design perspective. Why incur additional
>performance costs if they don't add any security value? Even
>if the cost is only 50%, why pay it if it's not adding anything.
This is technically correct, but irrelevant. Unless we mandate that "if you
use AES-128, you MUST only use public keys of exactly 2056 bits and nothing
else", the mismatch will continue to happen. This is particularly true
between two parties who have looked at different numbers for the equivalent
strengths of symmetric and asymmetric keys and come to different
conclusions. The numbers that Hilarie and I came up with differ from other
numbers being proposed because we used different assumptions about the future.
>2. It's very confusing to users, who expect security to increase
>with increasing key size.
Disagree. The statement I made was:
> The baseline decision is "are both the symmetric
> and asymmetric keys strong enough for what I want?"
A user who is smart enough to answer that question correctly is smart
enough to know that increasing the size of one key at a different rate than
the other key is not going to get a balanced increase in security.
Of course, it is the rare IPsec user who understands this concept, and most
go by "I hear 128 is enough" and, unfortunately, "I hear 256 is better than
128 and my security gateway still seems to run fast so I'll use 256". This
can be countered with education, to the somewhat limited extent that
education about security has been successful.
--Paul Hoffman, Director
--VPN Consortium
Follow-Ups:
References: