[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comment on draft-orman-public-key-lengths-02.txt

Actually 2 comments.

The first comment is that the draft is very well written. Thanks for making
my life easier.

The second comment is something which I have mentioned before...

As the draft states, the correct procedure for choosing algorithms/key
lengths is as follows:

1. Determine the number of symmetric key bits matching the security
requirement of the application (n).

2. Choose a symmetric cipher that has a key with at least n bits, and a
cryptanalytic strength of at least that much.

3. Choose a key exchange algorithm with a resistance to attack of at
least n bits.


This is something which was not clear in previous versions of the draft, and
vestiges of the old way of thinking remain. I think the following paragraph
best illustrates the misunderstanding:

If it is possible to design hardware for AES cracking that is
considerably more efficient than hardware for DES cracking, then the
moduli for protecting the key exchange can be made smaller. However, the
existence of such designs is only a matter of speculation at this early
moment in the AES lifetime.


I find the idea that the KE moduli can be decreased if AES is found to be
weak rather silly. After all, the requirement is not to match the symmetric
key algorithm to the key exchange algorithm; the requirement is only to
ensure that both algorithms have at least an equivalent strength of n.

The reason I bring this up is because I think the above paragraph is prone
to misinterpretation. If 3DES/Group2 provided adequate security for you
yesterday then AES/Group2 should be good enough for you tommorow.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.
References: