[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES and block size?

To: "Dan McDonald" <Dan.McDonald@Eng.Sun.COM>, <ipsec@lists.tislabs.com>
Subject: Re: AES and block size?
From: "Jari Arkko" <jari.arkko@kolumbus.fi>
Date: Wed, 4 Oct 2000 07:44:36 +0300
Sender: owner-ipsec@lists.tislabs.com

Dan writes:

>And since I'm on the subject, what do I do with IKE in the face of "I'm
>willing to support multiple keysizes"?  Do I send multiple transforms with
>the only difference being different keysize attribute values?  Or do I just
>pick one and try again later?

My system has the possibility to configure the min/max limits for key
size. I intersect these with the native algorithm limits, and get the final
range. If more than one possible size remains, then I send two transforms,
one for the smallest possible key size, one for the largest. It's not a perfect
scheme but it seems to work most of the time. (A horrible idea: send a
transform for each key size 40, 48, ..., 448 - or redo the IKE negotiations
that many times...)

Jari Arkko
Ericsson
P.S. Variable keysize support seems still somewhat rare, even with people
who have algorithms like Blowfish. Many of them can only handle those
at one key length.

Prev by Date: Re: counter mode
Next by Date: RE: IPSec test suite
Prev by thread: AES and block size?
Next by thread: Re: [ipsec] IPSec implementations possible on handheld OS?
Index(es):
- Main
- Thread