[IPsec] AES key lengths: draft-ietf-ipsecme-esp-ah-reqts

"Black, David" <david.black@emc.com> Sat, 08 March 2014 13:09 UTC

Return-Path: <david.black@emc.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E9F51A0233 for <ipsec@ietfa.amsl.com>; Sat, 8 Mar 2014 05:09:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wjuh8yncaALd for <ipsec@ietfa.amsl.com>; Sat, 8 Mar 2014 05:09:00 -0800 (PST)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 62EFA1A0120 for <ipsec@ietf.org>; Sat, 8 Mar 2014 05:09:00 -0800 (PST)
Received: from maildlpprd01.lss.emc.com (maildlpprd01.lss.emc.com [10.253.24.33]) by mailuogwprd02.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s28D8sLJ005116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 8 Mar 2014 08:08:55 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com s28D8sLJ005116
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1394284135; bh=Xk1FxLrlZ78XAeZ6cE7gMkEr+9U=; h=From:To:Date:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=Paf7npSS8kz5juY7ediut8Z/7Jo1uwRt6TDiqm6v0GcIYGbV2omm3tWvesWpJAHF4 w59S3BrwDHo7tcg1o9UxP6hVcivLN5d0tqbECNvA7d8tCtYhcAnXxDns+twpWERBCe YVgIf8TzoPGKqegdKQzknHByUUQwoo+SZLl4pEuo=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com s28D8sLJ005116
Received: from mailusrhubprd01.lss.emc.com (mailusrhubprd01.lss.emc.com [10.253.24.19]) by maildlpprd01.lss.emc.com (RSA Interceptor); Sat, 8 Mar 2014 08:08:39 -0500
Received: from mxhub24.corp.emc.com (mxhub24.corp.emc.com [128.222.70.136]) by mailusrhubprd01.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s28D8dAV024670 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 8 Mar 2014 08:08:39 -0500
Received: from mx15a.corp.emc.com ([169.254.1.223]) by mxhub24.corp.emc.com ([128.222.70.136]) with mapi; Sat, 8 Mar 2014 08:08:38 -0500
From: "Black, David" <david.black@emc.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, ipsec <ipsec@ietf.org>
Date: Sat, 8 Mar 2014 08:08:37 -0500
Thread-Topic: AES key lengths: draft-ietf-ipsecme-esp-ah-reqts
Thread-Index: Ac86z4SnMEREQoCDQC27eSw4Gtdo9A==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71206CF439362@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd01.lss.emc.com
X-RSA-Classifications: public
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/FMqZHddjIj8_oj4AkiDiEv128eI
Subject: [IPsec] AES key lengths: draft-ietf-ipsecme-esp-ah-reqts
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 13:09:03 -0000

> The next draft changes AES-128-CBC to AES-CBC, and says:
> 
> In the following sections, all AES modes are for 128-bit AES. 192-bit AES
> MAY be supported for those modes, but the requirements here are for 128-bit
> AES.

What about 256-bit AES keys?  They should also be a "MAY".

Thanks,
--David

> -----Original Message-----
> From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Paul Hoffman
> Sent: Saturday, March 08, 2014 6:56 AM
> To: ipsec
> Subject: Re: [IPsec] Working Group Last Call: draft-ietf-ipsecme-esp-ah-reqts
> 
> On Mar 3, 2014, at 12:02 PM, Valery Smyslov <svanru@gmail.com> wrote:
> 
> > The draft lists the following trasforms based on AES cipher:
> >
> > AES-GCM
> > AES-CCM
> > AES-CTR
> > AES-128-CBC
> > AES-GMAC
> > AES-XCBC-MAC-96
> >
> > All these transforms, except for AES-XCBC-MAC-96,
> > allows to be used with different key lengths - 128, 192 and 256 bits.
> > It looks strange to me that, unlike the others, AES-128-CBC
> > has key length explicitely specified in the draft. Why it differs in
> > this respect from the others? What about AES-192-CBC and
> > AES-256-CBC - are they also "MUST" or "MAY"? Or even "MUST NOT"? :-)
> >
> > I think the draft should either:
> > - remove explicit key length from AES-128-CBC and make it just AES-CBC
> > - add explicit key length to all other AES-based transforms (except for AES-
> XCBC-MAC-96)
> > - leave things as is, but explain why AES-CBC differs in this respect from
> the others
> 
> The next draft changes AES-128-CBC to AES-CBC, and says:
> 
> In the following sections, all AES modes are for 128-bit AES. 192-bit AES
> MAY be supported for those modes, but the requirements here are for 128-bit
> AES.
> 
> --Paul Hoffman
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec