IETF Logo Mail Archive

[Cfrg] Providing guidance on the choice of symmetric key length?

Florent Bersani <florent.bersani@rd.francetelecom.fr> Mon, 03 May 2004 15:42 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA08743 for <cfrg-archive@odin.ietf.org>; Mon, 3 May 2004 11:42:42 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKfXz-0001GJ-IW for cfrg-archive@odin.ietf.org; Mon, 03 May 2004 11:39:59 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i43FdxfS004851 for cfrg-archive@odin.ietf.org; Mon, 3 May 2004 11:39:59 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKfTn-0008Qp-HM for cfrg-web-archive@optimus.ietf.org; Mon, 03 May 2004 11:35:39 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA08379 for <cfrg-web-archive@ietf.org>; Mon, 3 May 2004 11:35:36 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BKfTm-0001LT-Fr for cfrg-web-archive@ietf.org; Mon, 03 May 2004 11:35:38 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BKfSo-0001I3-00 for cfrg-web-archive@ietf.org; Mon, 03 May 2004 11:34:39 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BKfRq-0001Eu-00 for cfrg-web-archive@ietf.org; Mon, 03 May 2004 11:33:38 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKfOK-0007AC-Ux; Mon, 03 May 2004 11:30:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKf3i-00061T-AO for cfrg@optimus.ietf.org; Mon, 03 May 2004 11:08:42 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA07161 for <cfrg@ietf.org>; Mon, 3 May 2004 11:08:37 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BKf3f-0007OI-HZ for cfrg@ietf.org; Mon, 03 May 2004 11:08:39 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BKf2s-0007L2-00 for cfrg@ietf.org; Mon, 03 May 2004 11:07:51 -0400
Received: from p-mail2.rd.francetelecom.com ([195.101.245.16]) by ietf-mx with esmtp (Exim 4.12) id 1BKf1w-0007Ik-00 for cfrg@ietf.org; Mon, 03 May 2004 11:06:52 -0400
Received: from parmhs4.rd.francetelecom.fr ([10.193.117.63]) by parsmtp1.rd.francetelecom.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 3 May 2004 17:06:44 +0200
Received: from rd.francetelecom.fr ([10.193.167.74]) by parmhs4.rd.francetelecom.fr with Microsoft SMTPSVC(5.0.2195.6747); Mon, 3 May 2004 17:06:44 +0200
Message-ID: <40966075.8030702@rd.francetelecom.fr>
Date: Mon, 03 May 2004 17:08:37 +0200
From: Florent Bersani <florent.bersani@rd.francetelecom.fr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: cfrg@ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
X-OriginalArrivalTime: 03 May 2004 15:06:44.0116 (UTC) FILETIME=[3F228D40:01C43120]
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by ietf.org id LAA07162
Subject: [Cfrg] Providing guidance on the choice of symmetric key length?
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.1 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable

Hi,

Sorry to bother you with a another somewhat naive question I stumbled 
across while trying to work on an EAP method (EAP is RFC 2284 revised by 
2284bis)

In short, when using a symmetric key cryptographic primitive (namely a 
block or a stream cipher), you may have to choose (among other 
parameters) the key size. This is indeed the case with say AES, since 
according to FIPS 197, you may use a 128, 192 or 256 bit keys. The 
question is: what key length should be chosen (arguably, since this 
choice may depend on the target application in which the primitive has 
to be used, let's say for an authentication protocol used over the 
Internet).

This seems to be quite a dumb question, since the answer is IMHO 
folklore: 128 bits is OK for most (all?) applications.

My point is that I surprisingly did not find any simple and clear 
reference to which (non-expert) people working at IETF could be pointed 
to, regarding the choice of symmetric key length.

Any feedback would be most welcome.

Many thanks in advance,
Florent, who perhaps has a very stringent definition of simple and clear 
reference ;-) and agrees that his question is not a very good one :-( 
Just wanted to make sure

Indeed, the references I consulted before daring to turn to the CFRG 
include:

    * "Handbook of Applied Cryptography" by Menezes et al.: chapter 1 on
      (§1.13.4) and chapter 7 on block ciphers (§7.2.1 (iii), 7.2.3 and
      §7.8)
    * "Applied Cryptography" by Bruce Schneier, part II chapter 7 (key
      length)
    * "Minimal Key Length for Symmetric Ciphers to Provide Adequate
      Commercial Security. A Report by an Ad Hoc Group of Cryptographers
      and Computer Scientists", M. Blaze, W. Diffie et al., Jan. 1996.
    * "Selecting cryptographic key size" by Lenstra and Verheul, 2001,
      http://citeseer.ist.psu.edu/287428.html
    * "A Cost-Based Security Analysis of Symmetric and Asymmetric Key
      Lengths", RSA Laboratories Bulletin 13, April 2000 (Revised
      November 2001),
      http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html
    * "Determining strengths for public keys used for exchanging
      symmetric keys", H. Orman and P. Hoffman, RFC 3766
    * "The AES-CBC Cipher Algorithm and Its Use with IPsec", S. Frankel
      et al., RFC 3602

Generally, these references rather aim at studying public key length 
compared to symmetric key length and usually consider my question as a 
simple side problem, e.g. in RFC 3766 "While it is fairly easy to 
express the system strength requirements in terms of a symmetric key 
length".

I agree that it is not hard to become aware that there seems to be 
consensus that a 128 bit key with a (good) block cipher is OK (e.g. in 
RFC 3766 "In this section, for illustrative purposes, we will implicitly 
assume that the system security requirement is 112 bits; this doesn’t 
mean that 112 bits is recommended. In fact, 112 bits is arguably too 
strong for any practical purpose. It is used for illustration simply 
because that is the upper bound on the strength of TripleDES") and that 
some reference do provide explicit estimates for symmetric key size choice.

The naive question that however logically puzzles the curious (and 
not-expert in cryptography) protocol developer is why then do we have 
the choice to use a larger, say 256 bit, key?

Possible answers I thought of include:

    * It is a good idea to be conservative in cryptography and to allow
      for larger key sizes (but then why shouldn't I be conservative
      myself and not use AES-256?)
    * You may use larger key size but performance will degrade (a quite
      complete performance report to back up/infirm this claim seems to
      be the NESSIE deliverable 21 e.g. table 31,
      https://www.cosic.esat.kuleuven.ac.be/nessie/deliverables/D21-v2.pdf).
      However, depending on the application, performance may not be that
      much of an issue (e.g. an authentication protocol probably does
      not have the same performance requirements for its primitive as a
      "bulk data encryption protocol" - like ESP) and degradation may be
      very little (see e.g.
      http://www.ietf.org/proceedings/01dec/slides/ipsec-11.pdf).
    * You may use larger key size but you will have export regulations
      problems (for example, in France, 128 bit is a threshold, see
      http://www.ssi.gouv.fr/fr/reglementation/regl_crypto.html)

(An additional reason I was indicated for having larger key size could 
be when the key has an "entropy" that is not equal to its length but 
this seems IMHO a rather deviant and bad reason to use a 256 bit key 
block cipher with 256 bits that are chosen at random from say a 2**128 
space. I'd prefer to have the "bad" 256 key bits pre-processed and then 
used in a 128 bit block cipher)

After reading references like draft-ietf-ipsec-ciph-camellia-01.txt or 
RFC 3602, security considerations section:
"Implementations are encouraged to use the largest key sizes they can 
when taking into account performance considerations for their particular 
hardware and software configuration. Note that encryption necessarily 
impacts both sides of a secure channel, so such consideration must take 
into account not only the client side, but the server as well. However, 
a key size of 128 bits is considered secure for the foreseeable future", 
I still find it hard for a protocol developer to choose ;-)

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email