[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AES draft query

To: ipsec@lists.tislabs.com
Subject: RE: AES draft query
From: Paul Koning <pkoning@xedia.com>
Date: Mon, 20 Mar 2000 09:59:17 -0500
References: <852568A5.0083390E.00@smtpmail.certicom.com><4.3.2.20000317190722.00c2e410@mail.vpnc.org>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Paul" == Paul Hoffman <paul.hoffman@vpnc.org> writes:

 Paul> At 03:54 PM 3/17/00 -0800, John Harleman wrote:
 >> absolutely correct. but there is also 2 key 3des.

Not in IPSEC, there isn't.  I'm not sure what 2key 3des has to do with 
the aes discussion...

 >> as schneier and
 >> whiting recently pointed out:
 >> 
 >> http://www.counterpane.com/aes-comparison.html
 >> 
 >> key size is increased at the cost of performance with all AES
 >> canidates.  So why would one use larger strength AES algorithms
 >> without using the corresponding strength with public-key? cheers -
 >> john

 Paul> There could be many reasons. Some might include: - due to your
 Paul> hardware accelerator, 128->256 AES might only cost you 50% more
 Paul> time but the corresponding increase in public key might cost
 Paul> you 200% - the other party only offered you one AES length but
 Paul> many acceptable choices for public key lengths There are
 Paul> probably others. The baseline decision is "are both the
 Paul> symmetric and asymmetric keys strong enough for what I want?"
 Paul> If the answer is yes, it does not matter if there is a mismatch
 Paul> in strength.

I think that's a very good way to look at things.  AES has the nice
property that it is (believed to be) much more secure than the
previous state of the art, at similar performance.  And in particular, 
it is both more secure *and faster* than 3DES, the predominant high
security cipher deployed right now.

While from a theoretical point of view it is best to match the
security of the public/DH and symmetric algorithms, that's only barely 
affordable for 128 bit keys and really problematic with longer keys.
(Then again, it isn't clear why someone would choose symmetric keys
longer than 128 at this time.  A few years from now, possibly yes.)

I would answer John's question with "because we can't afford to take
10 seconds or so to do a single D-H key agreement!"  Deployable
systems must have acceptable performance as well as acceptable
security.

	paul

References:

RE: AES draft query

From: "John Harleman" <jharleman@certicom.com>

RE: AES draft query

From: Paul Hoffman <paul.hoffman@vpnc.org>

Prev by Date: Re: ipsec and masquerading
Next by Date: INTERNAL_SUBNET in draft-ietf-ipsec-isakmp-mode-cfg-05
Prev by thread: RE: AES draft query
Next by thread: Re: AES draft query
Index(es):
- Main
- Thread