[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Re: IKEv2 Key Size Conformance Requirements

To: Ahmed Bin Abbas Ahmed Ali Adas <alaadas@kaau.edu.sa>
Subject: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
From: Dan McDonald <danmcd@east.sun.com>
Date: Tue, 5 Nov 2002 11:01:34 -0500 (EST)
CC: ipsec@lists.tislabs.com
In-Reply-To: <002e01c28494$382a07a0$45bbfea9@amanda2> from Ahmed Bin Abbas AhmedAli Adas at "Nov 5, 2002 09:26:02 am"
Organization: Sun Microsystems, Inc. - Solaris Internet Engineering
Sender: owner-ipsec@lists.tislabs.com

> All of us know that 1024 bits key makes 128 - 8 bit bytes, since the
> computer industry is shifting more and more to embedded cryptography, i.e
> in the VLSI chips. I believe we should keep the pattern of integral
> multiples of bytes. In other words we keep the 1024 bits keys.

I strongly disagree.  The _implementation_ of a 1023-bit key will be padded
to the logical 8-bit boundary, of course.  When _generating_ a prime, that
prime may not always have the most-significant bit set out of the, say, 1024
bits possible.  That prime then becomes a 1023-bit prime.

Many device drivers roll-over-and-die because of this, and that's just a bug.
Align things to 1024 for the hardware, but don't limit the user because it
adds a few bits to a device driver.

I have not yet seen a compelling performance case for not handling small
aberrations in size in the device driver.  I will gladly accept real-world
data that indicates accepting 1023 or 1022 bit primes will slow down
performance to an unacceptable level.

Dan

References:
- Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
  - From: "Ahmed Bin Abbas Ahmed Ali Adas" <alaadas@kaau.edu.sa>

Prev by Date: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
Next by Date: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
Prev by thread: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
Next by thread: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
Index(es):
- Date
- Thread