Re: speaking of keys

[Stephen Kent <kent@bbn.com>]

At 3:23 PM -0500 12/6/02, Michael Richardson wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>>>>>>  "The" == The Purple Streak, Hilarie Orman <ho@alum.mit.edu> writes:
>     The> You only get about 80 bits of strength from a 1024-bit DH 
>group.  That
>     The> seems insufficient for reasonable paranoids.
>
>   Yes.
>   I'd like to see the 1536 group ("group 5", still in ID queue) as a MUST
>in IKEv2, and I'd like to see the next larger group given a SHOULD.
>
>   (group 5 is spec'ed as MUST for FreeSWAN-style Opportunistic Encryption,
>to support 3DES)
>
>   It is very important that we spec something, and that we also suggest where
>the failover direction is.

Well, I have been corrected re the entropy confusion by David's 
recent message, but why go all the way to 1536? Isn't there an 
intermediate group size that would be reasonable for those who insist 
on more than 1024, say something i the 1200 bit range?

Also, let's remember that the key size is not the only factor in 
determining the security of these systems.  It's tempting to raise 
the bar on key size to make sure it is not the weakest link, and I 
appreciate that. But we also run the risk of driving people away due 
to the performance hit.  Frankly, the worst case here might be a 
software implementation on a user WS/laptop where there are lots more 
likely ways that the security of the traffic will be compromised 
(other than solving the discrete log problem for a 1024-bit group) 
and where the performance hit will be most visible and thus may 
eventually motivate an individual to NOT use IPsec at all.

I don't have a problem with a MAY for bigger groups, but I really 
think it is most appropriate to focus on the management facility to 
allow user communities to select their own, of whatever size they 
feel is appropriate.

Steve