Re: Réf. : Re: What is the standardization status ofAES in IPSec?

[Paul Koning <pkoning@equallogic.com>]

Excerpt of message (sent 5 February 2002) by Romain BERRENDONNER:
> 
> I wonder what is the use of having symetric algorithms with
> keys longer than 128bits. All the papers I read show that is sufficient for
> protecting data
> in the next 20 years ... And is data worth being protected during 20 years
> sent over the wires ?

I would assume that it might be, absolutely.
 
> As I see things, IPsec provides a kind of 'tactical' security : it protects
> data during the time sufficient
> for making it irrelevant for an attacker. If I send my credit card number
> on the Internet, the information
> is valid for at most two years.

Not true, unless your credit card company changes your credit card
number (not just its expiration date) when it renews the card.  That
happens occasionally but it is not routine in my experience.

In any case, I don't think it's in the IPsec protocol goals to
protect only data that's worth protecting no longer than a year or two.
 
> Consequently, If I had to design a fully-secure Ipsec implementation, I
> would focus on having good
> entropy in keys rather than the longest key size possible. And I do agree
> with you that mandating
> "good" entropy isn't a good idea : it would remove a way to fine-grain
> systems' security (i.e. for export
> purpose).

I don't know of any export controls that have ever limited the amount
of allowable entropy.  The only ones that have been used (in the USA,
at least) restrict key lengths.  And note that key length limitations,
while not completely gone, are very much less an issue than they were
in the past.  Finally, IPsec is in no way limited to exportable
encryption, nor should it be.  (See also RFC 1984.)

      paul