[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:

> At 9:53 AM -0400 6/11/03, Paul Koning wrote:
> >  >>>>> "Yoav" == Yoav Nir <ynir@checkpoint.com> writes:
> >
> >  Yoav> So RC4, Blowfish and IDEA are "MAY", but DES is "SHOULD NOT"?
> >  Yoav> I think those should be at least as discouraged as DES.
> >
> >Why?  DES is known to be weak (inadequate key size), while the others
> >are (unless I missed something recent) not substantially weaker than
> >exhaustive search of their key.
> Any algorithm with a variable key size could be considerably weaker
> than DES. Unless you are going to start listing key sizes and giving
> each size a rating, saying SHOULD NOT for DES but MAY for some other
> algorithm that can use 40-bit keys is silly.

It might be a good idea to have a SHOULD NOT for too-short key lengths
(maybe under 'Security Considerations'), independent of algorithm.
The IKE RFC, for instance, says

> For this reason, a prf function whose output is less than 128 bits
> (e.g., 3DES-CBC) MUST never be used with this protocol.

Proposed wording is:

Implementors and administrators should carefully consider what
algorithms and key sizes are appropriate for each situation; as a
minimum, an implementation SHOULD NOT use an algorithm with a key size
of 64 bits or less in its default configuration.

- Geoffrey Keating <geoffk@geoffk.org>