[Cfrg] Providing guidance on the choice of symmetric key length?
Florent Bersani <florent.bersani@rd.francetelecom.fr> Mon, 03 May 2004 15:42 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA08743 for <cfrg-archive@odin.ietf.org>; Mon, 3 May 2004 11:42:42 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKfXz-0001GJ-IW for cfrg-archive@odin.ietf.org; Mon, 03 May 2004 11:39:59 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i43FdxfS004851 for cfrg-archive@odin.ietf.org; Mon, 3 May 2004 11:39:59 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKfTn-0008Qp-HM for cfrg-web-archive@optimus.ietf.org; Mon, 03 May 2004 11:35:39 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA08379 for <cfrg-web-archive@ietf.org>; Mon, 3 May 2004 11:35:36 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BKfTm-0001LT-Fr for cfrg-web-archive@ietf.org; Mon, 03 May 2004 11:35:38 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BKfSo-0001I3-00 for cfrg-web-archive@ietf.org; Mon, 03 May 2004 11:34:39 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BKfRq-0001Eu-00 for cfrg-web-archive@ietf.org; Mon, 03 May 2004 11:33:38 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKfOK-0007AC-Ux; Mon, 03 May 2004 11:30:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKf3i-00061T-AO for cfrg@optimus.ietf.org; Mon, 03 May 2004 11:08:42 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA07161 for <cfrg@ietf.org>; Mon, 3 May 2004 11:08:37 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BKf3f-0007OI-HZ for cfrg@ietf.org; Mon, 03 May 2004 11:08:39 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BKf2s-0007L2-00 for cfrg@ietf.org; Mon, 03 May 2004 11:07:51 -0400
Received: from p-mail2.rd.francetelecom.com ([195.101.245.16]) by ietf-mx with esmtp (Exim 4.12) id 1BKf1w-0007Ik-00 for cfrg@ietf.org; Mon, 03 May 2004 11:06:52 -0400
Received: from parmhs4.rd.francetelecom.fr ([10.193.117.63]) by parsmtp1.rd.francetelecom.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 3 May 2004 17:06:44 +0200
Received: from rd.francetelecom.fr ([10.193.167.74]) by parmhs4.rd.francetelecom.fr with Microsoft SMTPSVC(5.0.2195.6747); Mon, 3 May 2004 17:06:44 +0200
Message-ID: <40966075.8030702@rd.francetelecom.fr>
Date: Mon, 03 May 2004 17:08:37 +0200
From: Florent Bersani <florent.bersani@rd.francetelecom.fr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: cfrg@ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
X-OriginalArrivalTime: 03 May 2004 15:06:44.0116 (UTC) FILETIME=[3F228D40:01C43120]
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by ietf.org id LAA07162
Subject: [Cfrg] Providing guidance on the choice of symmetric key length?
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.1 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
Hi, Sorry to bother you with a another somewhat naive question I stumbled across while trying to work on an EAP method (EAP is RFC 2284 revised by 2284bis) In short, when using a symmetric key cryptographic primitive (namely a block or a stream cipher), you may have to choose (among other parameters) the key size. This is indeed the case with say AES, since according to FIPS 197, you may use a 128, 192 or 256 bit keys. The question is: what key length should be chosen (arguably, since this choice may depend on the target application in which the primitive has to be used, let's say for an authentication protocol used over the Internet). This seems to be quite a dumb question, since the answer is IMHO folklore: 128 bits is OK for most (all?) applications. My point is that I surprisingly did not find any simple and clear reference to which (non-expert) people working at IETF could be pointed to, regarding the choice of symmetric key length. Any feedback would be most welcome. Many thanks in advance, Florent, who perhaps has a very stringent definition of simple and clear reference ;-) and agrees that his question is not a very good one :-( Just wanted to make sure Indeed, the references I consulted before daring to turn to the CFRG include: * "Handbook of Applied Cryptography" by Menezes et al.: chapter 1 on (§1.13.4) and chapter 7 on block ciphers (§7.2.1 (iii), 7.2.3 and §7.8) * "Applied Cryptography" by Bruce Schneier, part II chapter 7 (key length) * "Minimal Key Length for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists", M. Blaze, W. Diffie et al., Jan. 1996. * "Selecting cryptographic key size" by Lenstra and Verheul, 2001, http://citeseer.ist.psu.edu/287428.html * "A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths", RSA Laboratories Bulletin 13, April 2000 (Revised November 2001), http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html * "Determining strengths for public keys used for exchanging symmetric keys", H. Orman and P. Hoffman, RFC 3766 * "The AES-CBC Cipher Algorithm and Its Use with IPsec", S. Frankel et al., RFC 3602 Generally, these references rather aim at studying public key length compared to symmetric key length and usually consider my question as a simple side problem, e.g. in RFC 3766 "While it is fairly easy to express the system strength requirements in terms of a symmetric key length". I agree that it is not hard to become aware that there seems to be consensus that a 128 bit key with a (good) block cipher is OK (e.g. in RFC 3766 "In this section, for illustrative purposes, we will implicitly assume that the system security requirement is 112 bits; this doesn’t mean that 112 bits is recommended. In fact, 112 bits is arguably too strong for any practical purpose. It is used for illustration simply because that is the upper bound on the strength of TripleDES") and that some reference do provide explicit estimates for symmetric key size choice. The naive question that however logically puzzles the curious (and not-expert in cryptography) protocol developer is why then do we have the choice to use a larger, say 256 bit, key? Possible answers I thought of include: * It is a good idea to be conservative in cryptography and to allow for larger key sizes (but then why shouldn't I be conservative myself and not use AES-256?) * You may use larger key size but performance will degrade (a quite complete performance report to back up/infirm this claim seems to be the NESSIE deliverable 21 e.g. table 31, https://www.cosic.esat.kuleuven.ac.be/nessie/deliverables/D21-v2.pdf). However, depending on the application, performance may not be that much of an issue (e.g. an authentication protocol probably does not have the same performance requirements for its primitive as a "bulk data encryption protocol" - like ESP) and degradation may be very little (see e.g. http://www.ietf.org/proceedings/01dec/slides/ipsec-11.pdf). * You may use larger key size but you will have export regulations problems (for example, in France, 128 bit is a threshold, see http://www.ssi.gouv.fr/fr/reglementation/regl_crypto.html) (An additional reason I was indicated for having larger key size could be when the key has an "entropy" that is not equal to its length but this seems IMHO a rather deviant and bad reason to use a 256 bit key block cipher with 256 bits that are chosen at random from say a 2**128 space. I'd prefer to have the "bad" 256 key bits pre-processed and then used in a 128 bit block cipher) After reading references like draft-ietf-ipsec-ciph-camellia-01.txt or RFC 3602, security considerations section: "Implementations are encouraged to use the largest key sizes they can when taking into account performance considerations for their particular hardware and software configuration. Note that encryption necessarily impacts both sides of a secure channel, so such consideration must take into account not only the client side, but the server as well. However, a key size of 128 bits is considered secure for the foreseeable future", I still find it hard for a protocol developer to choose ;-) _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Providing guidance on the choice of symmet… Florent Bersani
- Re: [Cfrg] Providing guidance on the choice of sy… Steven M. Bellovin
- Re: [Cfrg] Providing guidance on the choice of sy… Daniel Brown
- Re: [Cfrg] Providing guidance on the choice of sy… The Purple Streak, Hilarie Orman
- Re: [Cfrg] Providing guidance on the choice of sy… Steven M. Bellovin