[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES draft query

To: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: AES draft query
From: "John Harleman" <jharleman@certicom.com>
Date: Sun, 19 Mar 2000 10:18:02 -0800
cc: ipsec@lists.tislabs.com, "Scott G. Kelly" <sgkelly@ix.netcom.com>, EKR <ekr@rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

I agree that this is a marketing and education problem. I've used a lot of IPSec
clients and browsers. In most all cases, the advertised strength has been based
on the symmetric cipher. When setting a symmetric strength, the appropriate
corresponding PK strength should be highlighted so that the users can at least
make an informed decision and not unnecessarily burden their equipment as EKR
points out. It is not easy for users to understand that something symmetric =
double that value when using ecc = something completely different when using DH
or RSA.

This doesn't change the fact, however, that it does not make sense to deploy a
stronger symmetric algorithm than a public-key one and that if one is
incorporating 256-bit symmetric into a protocol or product, one should
incorporate that corresponding public-key strengths. cheers - john

Paul Hoffman <paul.hoffman@vpnc.org> on 18.03.2000 07:50:38

To:   ipsec@lists.tislabs.com
cc:    (bcc: John Harleman/Certicom)
Subject:  Re: AES draft query

At 10:05 PM 3/17/00 -0800, EKR wrote:
>I disagree with this position, for two reasons:

It's not a "position", it's an explanation about why the situation might
happen.

>1. It's inefficient from a design perspective. Why incur additional
>performance costs if they don't add any security value? Even
>if the cost is only 50%, why pay it if it's not adding anything.

This is technically correct, but irrelevant. Unless we mandate that "if you
use AES-128, you MUST only use public keys of exactly 2056 bits and nothing
else", the mismatch will continue to happen. This is particularly true
between two parties who have looked at different numbers for the equivalent
strengths of symmetric and asymmetric keys and come to different
conclusions. The numbers that Hilarie and I came up with differ from other
numbers being proposed because we used different assumptions about the future.

>2. It's very confusing to users, who expect security to increase
>with increasing key size.

Disagree. The statement I made was:

 > The baseline decision is "are both the symmetric
 > and asymmetric keys strong enough for what I want?"

A user who is smart enough to answer that question correctly is smart
enough to know that increasing the size of one key at a different rate than
the other key is not going to get a balanced increase in security.

Of course, it is the rare IPsec user who understands this concept, and most
go by "I hear 128 is enough" and, unfortunately, "I hear 256 is better than
128 and my security gateway still seems to run fast so I'll use 256". This
can be countered with education, to the somewhat limited extent that
education about security has been successful.

--Paul Hoffman, Director
--VPN Consortium

Prev by Date: Re: MAC speeds
Next by Date: Re: AES draft query
Prev by thread: RE: AES draft query
Next by thread: I-D ACTION:draft-ietf-ipsec-heartbeats-00.txt
Index(es):
- Main
- Thread