[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: AES draft query
> A user who is smart enough to answer that question correctly is smart
> enough to know that increasing the size of one key at a
> different rate than
> the other key is not going to get a balanced increase in security.
>
> Of course, it is the rare IPsec user who understands this
> concept, and most
> go by "I hear 128 is enough" and, unfortunately, "I hear 256
> is better than
> 128 and my security gateway still seems to run fast so I'll
> use 256". This
> can be countered with education, to the somewhat limited extent that
> education about security has been successful.
Hi Paul,
There seems to be an implicit assumption here that users will be tweaking
the format of the SA proposals themselves and that they will decide between
128 bit AES and 256 bit AES.
I don't think this is realistic. In 90% of the cases, the users will use
whatever set of transforms we include as a pre-configured part of the
product (caveat emptor).
In the other 10% of the cases, the users had better understand what they are
doing before they frig with the crypto setup. In other words, they should
get outside advice from a knowledgeable security consultant.
Of course, there will be users who base their decisions on magazine reviews,
which can be misleading. Maybe the VPNC can help out here, by educating the
reviewers and ensuring that they do their performance comparisons using an
appropriate set of transforms.
Andrew
_______________________________________________
Beauty without truth is insubstantial.
Truth without beauty is unbearable.
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Hoffman
> Sent: Saturday, March 18, 2000 10:51 AM
> To: ipsec@lists.tislabs.com
> Subject: Re: AES draft query
>
>
> At 10:05 PM 3/17/00 -0800, EKR wrote:
> >I disagree with this position, for two reasons:
>
> It's not a "position", it's an explanation about why the
> situation might
> happen.
>
> >1. It's inefficient from a design perspective. Why incur additional
> >performance costs if they don't add any security value? Even
> >if the cost is only 50%, why pay it if it's not adding anything.
>
> This is technically correct, but irrelevant. Unless we
> mandate that "if you
> use AES-128, you MUST only use public keys of exactly 2056
> bits and nothing
> else", the mismatch will continue to happen. This is
> particularly true
> between two parties who have looked at different numbers for
> the equivalent
> strengths of symmetric and asymmetric keys and come to different
> conclusions. The numbers that Hilarie and I came up with
> differ from other
> numbers being proposed because we used different assumptions
> about the future.
>
> >2. It's very confusing to users, who expect security to increase
> >with increasing key size.
>
> Disagree. The statement I made was:
>
> > The baseline decision is "are both the symmetric
> > and asymmetric keys strong enough for what I want?"
>
> A user who is smart enough to answer that question correctly is smart
> enough to know that increasing the size of one key at a
> different rate than
> the other key is not going to get a balanced increase in security.
>
> Of course, it is the rare IPsec user who understands this
> concept, and most
> go by "I hear 128 is enough" and, unfortunately, "I hear 256
> is better than
> 128 and my security gateway still seems to run fast so I'll
> use 256". This
> can be countered with education, to the somewhat limited extent that
> education about security has been successful.
>
> --Paul Hoffman, Director
> --VPN Consortium
>
>
Follow-Ups:
References: