[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 security consideration over-statement

To: ipsec@lists.tislabs.com
Subject: IKEv2 security consideration over-statement
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Wed, 7 Apr 2004 08:45:15 -0700
Sender: owner-ipsec@lists.tislabs.com

Greetings again. My apologies for not seeing this sooner. In the 
security considerations section of IKEv2, it says:

    The strength of a key derived from a Diffie-Hellman exchange using
    any of the groups defined here depends on the inherent strength of
    the group, the size of the exponent used, and the entropy provided by
    the random number generator used. Due to these inputs it is difficult
    to determine the strength of a key for any of the defined groups.
    Diffie-Hellman group number two, when used with a strong random
    number generator and an exponent no less than 200 bits, is sufficient
    for use with 3DES.  Groups three through five provide greater
    security. Group one is for historic purposes only and does not
    provide sufficient strength except for use with DES, which is also
    for historic use only. Implementations should make note of these
    conservative estimates when establishing policy and negotiating
    security parameters.

The sentence "Diffie-Hellman group number two, when used with a 
strong random number generator and an exponent no less than 200 bits, 
is sufficient for use with 3DES" is probably not true. Group 2 (1024 
bits) is probably equivalent to about 80 bits of symmetric strength, 
not 112. A better wording for this sentence is "Diffie-Hellman group 
number two, when used with a strong random number generator and an 
exponent no less than 200 bits, is common for use with 3DES". That 
is, most VPN systems only need 80ish bits of symmetric strength.

The sentence "Groups three through five provide greater security" is 
misleading. Group 3 is 155 bits using elliptic curve, meaning about 
77 bits of symmetric strength, similar to group 2. Group 4 (185 bits 
using elliptic curve), or 92 bits of symmetric strength. Further, to 
date, almost no one implements groups 3 and 4 due to lack of customer 
demand and looming patent issued. It is better to change this to 
simply say "Group five provides greater security than group two."

Also, maybe drop the word "conservative" in the last sentence since 
it is not clear what it means.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: IKEv2 security consideration over-statement
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: SPD Policies - Backward compatibility
Next by Date: Re: CONSENSUS TEST: Fragmentation handling
Previous by thread: Re: Disposition of the IKEv2 ID_KEY_ID type
Next by thread: Re: IKEv2 security consideration over-statement
Index(es):
- Date
- Thread