[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms
Henry Spencer wrote:
>On 11 Jun 2003, David Wagner wrote:
>> I don't recall a MAY requirement for any 40-bit cipher. We debated
>> 40-bit ciphers a long time ago (remember export controls?), and we came
>> to consensus many years ago that 40-bit ciphers have no place in IPSec.
>> Are you saying there is a MAY requirement for a 40-bit cipher? If so,
>> that should be fixed, but I don't believe it.
>RFC 2451 Blowfish allows keys as short as 40 bits, as does RFC 2451 CAST.
>RFC 2451 IDEA does not.
That's different. IPSec does not have a MAY requirement for 40-bit
ciphers. It has a MAY requirement for ciphers like Blowfish which can be
used with 40-bit keys, but the default key size for Blowfish is 128 bits,
which is adequate. With DES, not only is the default key inadequate
(56 bits), that's the *only* supported key size; as a result, DES is
clearly inadequate for deployment in most new systems.
It's not what size keys the cipher supports that matters; it's what size
keys are standardized for use in IPSEc.
Maybe we should add a line to RFC2451 saying that users SHOULD NOT
use key sizes shorter than the default. There's no good reason to use
shorter keys. This addition would make everything consistent with a
SHOULD NOT policy for DES. Will this make everyone happy?
(Amusingly, RFC2451 suggests that implementors SHOULD check for weak keys.
Personally, I consider *every* 40-bit key a weak key.)