[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interoperability (was: Death to AH?)
>>>>> "John" == John Harleman <jharleman@certicom.com> writes:
John> Hi Paul: Excuse my delay, but what do you think of the
John> IPSec-AES draft
It looks fine, other than the issue that has been discussed a while
ago that the suggested D-H sizes may create an unacceptable
performance hit. Note that the draft makes no assertions about the
relative strength of the 5 candidates. (Others have done so, e.g., in
the context of the AES conferences. At this point I'd say that there
is only very partial consensus in this area.)
John> and the key strenghts that were accepted into ANSI?
Haven't seen that. Could you elaborate?
John> As far as comparisons, with any cipher they are made by
John> evaluating the time to crack using the best known attacks
John> today. Provided that the cipher has undergone sufficient
John> standards scrutiny such as all of the FIPS standards--DES, DSA,
John> RSA, and ECC, I believe that these are valid. There will always
John> be some disention around the edges, but isn't it better to use
John> the yardstick that the overwhelming majority of the community
John> agree upon?
What yardstick are you talking about?
Any decent cipher will have strength (i.e., best known published
attack) equal to brute force search, or nearly that. Given an
adequate key size (i.e., not DES) that will do the job.
I suppose you could argue, then, that requests for any supported block
cipher of key length x and blocksize y should be interchangeable. Is
that what you're suggesting?
My point was that I don't know of "overwhelming majority" consensus
saying that IDEA is stronger than Blowfish for the same key size, or
vice versa. The same, only more so, applies to ECC vs. RSA/DSA --
there, proponents of the various schemes argue long and vociferously
about the computational complexity of the various attacks. In
particular, as a disinterested bystander I don't see "overwhelming
majority" consensus that the math/crypto community understanding of
best possible attacks for ECC is at a similar level of confidence as
it is for RSA/DSA. This is why I commented that there does not exist
a "well documented ordering of strength" across these systems.
paul
John> Paul Koning <pkoning@xedia.com> on 05.06.2000 07:29:01
John> To: John Harleman/Certicom@Certicom cc:
John> dharkins@cips.nokia.com, ipsec@lists.tislabs.com Subject: Re:
John> Interoperability (was: Death to AH?)
>>>>> "John" == John Harleman <jharleman@certicom.com> writes:
John> There is no order, but there is a well documented strength even
John> between differnent crypto systems. If you accept Dan's approach
John> to variable key-length ciphers, why wouldn't you accpet it for
John> variable key length public-key algorithms?
> I assume you meant that there is "a well documented ordering of
> strength for the different systems".
> If so, I would disagree. Certainly people have voiced the
> opinion that ECC with an x bit key is as strong as RSA with a y
> bit key. But others have voiced different opinions.
> Similarly, you may be able to find opinions on the relative
> strength of, say, IDEA, 3DES, and Blowfish, but I don't think
> you will find consensus.
References: