IETF Logo Mail Archive

Re: [Cfrg] Providing guidance on the choice of symmetric key length?

Daniel Brown <DBrown@certicom.com> Mon, 03 May 2004 17:28 UTC

Received: from optimus.ietf.org (iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA15153 for <cfrg-archive@odin.ietf.org>; Mon, 3 May 2004 13:28:35 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKh12-0000hx-D1 for cfrg-archive@odin.ietf.org; Mon, 03 May 2004 13:14:04 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i43HE4uO002721 for cfrg-archive@odin.ietf.org; Mon, 3 May 2004 13:14:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKgs4-0006a9-II for cfrg-web-archive@optimus.ietf.org; Mon, 03 May 2004 13:04:48 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14046 for <cfrg-web-archive@ietf.org>; Mon, 3 May 2004 13:04:44 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BKgs2-0001im-RL for cfrg-web-archive@ietf.org; Mon, 03 May 2004 13:04:46 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BKgr5-0001dl-00 for cfrg-web-archive@ietf.org; Mon, 03 May 2004 13:03:50 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BKgql-0001ZE-00 for cfrg-web-archive@ietf.org; Mon, 03 May 2004 13:03:27 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKgge-0003ov-Iq; Mon, 03 May 2004 12:53:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BKgYx-0001E9-Hp for cfrg@optimus.ietf.org; Mon, 03 May 2004 12:45:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA12524 for <cfrg@ietf.org>; Mon, 3 May 2004 12:44:59 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BKgYv-0006zL-SF for cfrg@ietf.org; Mon, 03 May 2004 12:45:01 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BKgXE-0006gv-00 for cfrg@ietf.org; Mon, 03 May 2004 12:43:21 -0400
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com ident=postfix) by ietf-mx with esmtp (Exim 4.12) id 1BKgVb-0006PS-00 for cfrg@ietf.org; Mon, 03 May 2004 12:41:35 -0400
Received: from spamfilter.certicom.com (storm [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id 7E6C7100CF; Mon, 3 May 2004 12:41:35 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16222-44; Mon, 3 May 2004 12:41:27 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 36F6210191; Mon, 3 May 2004 12:41:26 -0400 (EDT)
In-Reply-To: <40966075.8030702@rd.francetelecom.fr>
To: Florent Bersani <florent.bersani@rd.francetelecom.fr>
Cc: cfrg@ietf.org
Subject: Re: [Cfrg] Providing guidance on the choice of symmetric key length?
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.0.1 February 07, 2003
Message-ID: <OF0090CCC1.081AAB9C-ON85256E89.00560D21-85256E89.005BB134@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Mon, 03 May 2004 12:35:14 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.0.1|February 07, 2003) at 05/03/2004 12:35:16 PM, Serialize complete at 05/03/2004 12:35:16 PM
Content-Type: multipart/alternative; boundary="=_alternative 005BB0E385256E89_="
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=HTML_MESSAGE autolearn=no version=2.60

Florent,

Although it may not answer your question fully, another useful document 
that speaks about key sizes is NIST draft Special Publication 800-57, Part 
1, (see http://csrc.nist.gov/CryptoToolkit/kms/guideline-1-Jan03.pdf). 

Specifically, Table 9, pages 98-99, states what symmetric key sizes NIST 
believes to be appropriate for data that needs protection continuing in 
the future.  It rates AES 128, 192 and 256 as appropriate for data needing 
protection beyond 2035, but it does not distinguish any further between 
these 3 key sizes.  (Arguably, it would be too speculative to forecast any 
farther into the future.)  It does suggest that TDES is only appropriate 
for data needing protection up to 2035 but not farther. (I've heard that 
2035 will be corrected to 2030.)

Thanks,

        Dan

PS For what little it's worth, although I agree in principle that one 
should use the highest security feasible, I'd also agree that 128-bit 
security is good enough for nearly everybody.  Reasons for 192 or 256-bit 
security instead of 128-bit include protecting extremely sensitive 
information, long-term protection (40, 50, 60+ years from today), worries 
that forecasters have underestimated computing advances in the next 25 
years by a large factor (about 2^64 or more), a willingness pay for the 
extra cost of larger key sizes today as a kind of insurance that may or 
may not pay out.




cfrg-admin@ietf.org wrote on 05/03/2004 11:08:37 AM:

> Hi,
> 
> Sorry to bother you with a another somewhat naive question I stumbled 
> across while trying to work on an EAP method (EAP is RFC 2284 revised by 

> 2284bis)
> 
> In short, when using a symmetric key cryptographic primitive (namely a 
> block or a stream cipher), you may have to choose (among other 
> parameters) the key size. This is indeed the case with say AES, since 
> according to FIPS 197, you may use a 128, 192 or 256 bit keys. The 
> question is: what key length should be chosen (arguably, since this 
> choice may depend on the target application in which the primitive has 
> to be used, let's say for an authentication protocol used over the 
> Internet).
> 
> This seems to be quite a dumb question, since the answer is IMHO 
> folklore: 128 bits is OK for most (all?) applications.
> 
> My point is that I surprisingly did not find any simple and clear 
> reference to which (non-expert) people working at IETF could be pointed 
> to, regarding the choice of symmetric key length.
> 
> Any feedback would be most welcome.
> 
> Many thanks in advance,
> Florent, who perhaps has a very stringent definition of simple and clear 

> reference ;-) and agrees that his question is not a very good one :-( 
> Just wanted to make sure
> 
> Indeed, the references I consulted before daring to turn to the CFRG 
> include:
> 
>     * "Handbook of Applied Cryptography" by Menezes et al.: chapter 1 on
>       (§1.13.4) and chapter 7 on block ciphers (§7.2.1 (iii), 7.2.3 and
>       §7.8)
>     * "Applied Cryptography" by Bruce Schneier, part II chapter 7 (key
>       length)
>     * "Minimal Key Length for Symmetric Ciphers to Provide Adequate
>       Commercial Security. A Report by an Ad Hoc Group of Cryptographers
>       and Computer Scientists", M. Blaze, W. Diffie et al., Jan. 1996.
>     * "Selecting cryptographic key size" by Lenstra and Verheul, 2001,
>       http://citeseer.ist.psu.edu/287428.html
>     * "A Cost-Based Security Analysis of Symmetric and Asymmetric Key
>       Lengths", RSA Laboratories Bulletin 13, April 2000 (Revised
>       November 2001),
>       http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html
>     * "Determining strengths for public keys used for exchanging
>       symmetric keys", H. Orman and P. Hoffman, RFC 3766
>     * "The AES-CBC Cipher Algorithm and Its Use with IPsec", S. Frankel
>       et al., RFC 3602
> 
> Generally, these references rather aim at studying public key length 
> compared to symmetric key length and usually consider my question as a 
> simple side problem, e.g. in RFC 3766 "While it is fairly easy to 
> express the system strength requirements in terms of a symmetric key 
> length".
> 
> I agree that it is not hard to become aware that there seems to be 
> consensus that a 128 bit key with a (good) block cipher is OK (e.g. in 
> RFC 3766 "In this section, for illustrative purposes, we will implicitly 

> assume that the system security requirement is 112 bits; this doesn?t 
> mean that 112 bits is recommended. In fact, 112 bits is arguably too 
> strong for any practical purpose. It is used for illustration simply 
> because that is the upper bound on the strength of TripleDES") and that 
> some reference do provide explicit estimates for symmetric key size 
choice.
> 
> The naive question that however logically puzzles the curious (and 
> not-expert in cryptography) protocol developer is why then do we have 
> the choice to use a larger, say 256 bit, key?
> 
> Possible answers I thought of include:
> 
>     * It is a good idea to be conservative in cryptography and to allow
>       for larger key sizes (but then why shouldn't I be conservative
>       myself and not use AES-256?)
>     * You may use larger key size but performance will degrade (a quite
>       complete performance report to back up/infirm this claim seems to
>       be the NESSIE deliverable 21 e.g. table 31,
> https://www.cosic.esat.kuleuven.ac.be/nessie/deliverables/D21-v2.pdf).
>       However, depending on the application, performance may not be that
>       much of an issue (e.g. an authentication protocol probably does
>       not have the same performance requirements for its primitive as a
>       "bulk data encryption protocol" - like ESP) and degradation may be
>       very little (see e.g.
>       http://www.ietf.org/proceedings/01dec/slides/ipsec-11.pdf).
>     * You may use larger key size but you will have export regulations
>       problems (for example, in France, 128 bit is a threshold, see
>       http://www.ssi.gouv.fr/fr/reglementation/regl_crypto.html)
> 
> (An additional reason I was indicated for having larger key size could 
> be when the key has an "entropy" that is not equal to its length but 
> this seems IMHO a rather deviant and bad reason to use a 256 bit key 
> block cipher with 256 bits that are chosen at random from say a 2**128 
> space. I'd prefer to have the "bad" 256 key bits pre-processed and then 
> used in a 128 bit block cipher)
> 
> After reading references like draft-ietf-ipsec-ciph-camellia-01.txt or 
> RFC 3602, security considerations section:
> "Implementations are encouraged to use the largest key sizes they can 
> when taking into account performance considerations for their particular 

> hardware and software configuration. Note that encryption necessarily 
> impacts both sides of a secure channel, so such consideration must take 
> into account not only the client side, but the server as well. However, 
> a key size of 128 bits is considered secure for the foreseeable future", 

> I still find it hard for a protocol developer to choose ;-)
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email