Forgive the intrusion of this thought, but those of us working commercially have to ask: would use of AES 128 without 128 bits of entropy have any FIPS implications? FIPS 197 doesn't mandate (from what I can tell) 128 bits of entropy for 128 bit key AES, but is there another FIPS document that would imply that x bit keys require x bit of entropy?
Additionally, it makes me a bit uneasy to not use 128 bits of entropy here. I believe AES with 128 bit keys carries the idea of 128 bits of entropy to the uneducated and lesser educated, even if they don't understand entropy and all the other concepts involved.
mark
-----Original Message-----
From: Jari Arkko [mailto:jari.arkko@kolumbus.fi]
Sent: Sunday, February 03, 2002 1:43 AM
To: Hilarie Orman, Purple Streak Development;
Mark.Winstead@NetOctave.com
Cc: ipsec@lists.tislabs.com
Subject: Re: What is the standardization status of AES in IPSec?
> I'm curious as to how many people believe that a MUST for a 128-bit AES
> key means a MUST for 128 bits of entropy in the key.
I don't. While I believe we should move to AES as soon as possible, I
don't necessarily believe in the statement that all components of the
protocol set must be equally strong; you should be able to take advantage
of a new good algorithm even if you can't for e.g. computational reasons
increase Diffie-Hellman key lengths quite as much.
Thus, I believe we should standardize groups matching AES strength,
but not make them mandatory. And we need to explain the strength
issues somewhere.
Jari