RE: What is the standardization status of AES in IPSec?

[Stephen Kent <kent@bbn.com>]

At 11:24 AM -0500 2/4/02, Mark Winstead wrote:
>Forgive the intrusion of this thought, but those of us working 
>commercially have to ask: would use of AES 128 without 128 bits of 
>entropy have any FIPS implications? FIPS 197 doesn't mandate (from 
>what I can tell) 128 bits of entropy for 128 bit key AES, but is 
>there another FIPS document that would imply that x bit keys require 
>x bit of entropy?
>
>Additionally, it makes me a bit uneasy to not use 128 bits of 
>entropy here. I believe AES with 128 bit keys carries the idea of 
>128 bits of entropy to the uneducated and lesser educated, even if 
>they don't understand entropy and all the other concepts involved.
>
>mark

Algorithm certification under FIPS processes generally does not 
address the question of key bit entropy, since the algorithm 
implementation often will receive keys externally. Thus that 
evaluation would not address the issues of the entropy of bits 
extracted from a DH exchange and later used as an AES key.

FIPS 140-x certification addresses RNGs and PRNGs as sources of 
randomness for keys, but that's not what we use in IKE.

There is a table that NIST has produced that recommends corresponding 
key sizes for AES/RSA/DH, and various EC variants, but I don't 
believe it is a requirement in any of the certification processes.

Steve