RE: Security Use Requirements

Michael Eisler <mre@zambeel.com> Thu, 08 February 2001 02:56 UTC

From: Michael Eisler <mre@zambeel.com>
Reply-To: Michael Eisler <mre@zambeel.com>
To: ips@ece.cmu.edu
Date: Wed, 07 Feb 2001 16:55:59 -0800
Subject: RE: Security Use Requirements
In-Reply-To: "Your message with ID" <5.0.0.25.2.20010207155733.00a63d00@10.30.15.2>
Message-ID: <Roam.SIMC.2.0.6.981593759.11529.mre@zambeel.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET="US-ASCII"
Sender: owner-ips@ece.cmu.edu
Precedence: bulk

Why use DES, which is slow for software implementations, when AES
is there, is fast, and has little dispute about its safety?

draft-ietf-ipsec-ciph-aes-cbc-01.txt proposes a means
for using AES in IPsec.

draft-ietf-tls-ciphersuite-03.txt proposes a means for
using AES in TLS.

3DES is really, really slow for software to the point of being impractical.
While one can always mandate it for implementation, in practice I doubt any
customer using a software 3DES over ips will want to use it.

	-mre

> At 15:20 07/02/01, Joshua Tseng wrote:
> 
> >It's often been said that the only thing worse than NO SECURITY
> >is the ILLUSION of security.  
> 
> Some security keeps the kiddies away, no security doesn't.
> I'd much rather have DES-CBC than nothing, because it visibly
> increases the work function for the adversary.
> 
> >Single DES is known to be cracked.
> 
> That is a false statement.  It hasn't been cracked.  The best
> attack known in the public literature is Biham-Shamir, which 
> requires ~O(2^^56) operations and some non-trivial preconditions.  
> There have been some specific brute-force attacks on DES that worked, 
> but they weren't real-time attacks and required a significant amount 
> of computational power.
> 
> I'm not arguing against 3DES in preference to DES-CBC, but it 
> is just wrong to claim either that DES-CBC is cracked or 
> that running in the clear is better than running with DES-CBC
> (assumes reasonable cryptographic authentication in all cases).
> Note also that my comments are constrained to what is in the 
> published literature...
> 
> Ran
> rja@inet.org
> 
>

RE: Security Use Requirements Bernard Aboba
Re: Security Use Requirements David Robinson
Re: Security Use Requirements (and security issue… Glen Turner
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements julian_satran
RE: Security Use Requirements (and security issue… Bernard Aboba
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements RJ Atkinson
RE: Security Use Requirements Michael Eisler
Re: Security Use Requirements Sean Quinlan
RE: Security Use Requirements RJ Atkinson
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements John Hufferd
Re: Security Use Requirements David Robinson
RE: Security Use Requirements Scott Bradner
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Douglas Otis
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Bernard D. Aboba
RE: Security Use Requirements John Hufferd
RE: Security Use Requirements Michael Eisler
RE: Security Use Requirements RJ Atkinson
RE: Security Use Requirements Black_David
RE: Security Use Requirements Scott Bradner
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements julian_satran
RE: Security Use Requirements julian_satran
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Douglas Otis
RE: Security Use Requirements Michael Krause
RE: Security Use Requirements julian_satran
RE: Security Use Requirements Black_David
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Black_David
RE: Security Use Requirements Michael Eisler
RE: Security Use Requirements julian_satran
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Black_David
RE: Security Use Requirements Black_David
RE: Security Use Requirements julian_satran
RE: Security Use Requirements Black_David
RE: Security Use Requirements Black_David
RE: Security Use Requirements Douglas Otis
RE: Security Use Requirements RJ Atkinson
RE: Security Use Requirements Michael Eisler
RE: Security Use Requirements Scott Bradner
RE: Security Use Requirements Black_David
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements RJ Atkinson
RE: Security Use Requirements Douglas Otis
RE: Security Use Requirements Michael Eisler
RE: Security Use Requirements Joshua Tseng
Security Use Requirements Black_David
RE: Security Use Requirements julian_satran
RE: Security Use Requirements julian_satran
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Michael Eisler
RE: Security Use Requirements julian_satran
RE: Security Use Requirements Bernard Aboba
Re: Security Use Requirements [specifically: hard… csapuntz
RE: Security Use Requirements Black_David
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Joshua Tseng
RE: Security Use Requirements Douglas Otis
Re: Security Use Requirements David Robinson
RE: Security Use Requirements Douglas Otis
RE: Security Use Requirements John Hufferd
RE: Security Use Requirements Bernard Aboba
RE: Security Use Requirements Dan Eakins
RE: Security Use Requirements julian_satran