[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms



Henry Spencer  wrote:
>On 11 Jun 2003, David Wagner wrote:
>> I don't recall a MAY requirement for any 40-bit cipher.  We debated
>> 40-bit ciphers a long time ago (remember export controls?), and we came
>> to consensus many years ago that 40-bit ciphers have no place in IPSec.
>> Are you saying there is a MAY requirement for a 40-bit cipher?  If so,
>> that should be fixed, but I don't believe it.
>
>RFC 2451 Blowfish allows keys as short as 40 bits, as does RFC 2451 CAST. 
>RFC 2451 IDEA does not. 

That's different.  IPSec does not have a MAY requirement for 40-bit
ciphers.  It has a MAY requirement for ciphers like Blowfish which can be
used with 40-bit keys, but the default key size for Blowfish is 128 bits,
which is adequate.  With DES, not only is the default key inadequate
(56 bits), that's the *only* supported key size; as a result, DES is
clearly inadequate for deployment in most new systems.

It's not what size keys the cipher supports that matters; it's what size
keys are standardized for use in IPSEc.

Maybe we should add a line to RFC2451 saying that users SHOULD NOT
use key sizes shorter than the default.  There's no good reason to use
shorter keys.  This addition would make everything consistent with a
SHOULD NOT policy for DES.  Will this make everyone happy?

(Amusingly, RFC2451 suggests that implementors SHOULD check for weak keys.
Personally, I consider *every* 40-bit key a weak key.)