allocation of key material into keys
HUGO@watson.ibm.com Tue, 29 October 1996 20:07 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa01830; 29 Oct 96 15:07 EST
Received: by relay.hq.tis.com; id PAA09102; Tue, 29 Oct 1996 15:11:32 -0500
From: HUGO@watson.ibm.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from clipper.hq.tis.com(10.33.1.2) by relay.tis.com via smap (V3.1.1) id xma009083; Tue, 29 Oct 96 15:11:05 -0500
Received: from relay.hq.tis.com (firewall-user@relay.hq.tis.com [10.33.1.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id PAA01739 for <ipsec@tis.com>; Tue, 29 Oct 1996 15:12:55 -0500 (EST)
Received: by relay.hq.tis.com; id PAA09067; Tue, 29 Oct 1996 15:11:02 -0500
Received: from igw3.watson.ibm.com(129.34.139.18) by relay.tis.com via smap (V3.1.1) id xma009061; Tue, 29 Oct 96 15:10:56 -0500
Received: from mailhub2.watson.ibm.com (mailhub2.watson.ibm.com [9.2.250.15]) by igw3.watson.ibm.com (8.7.6/8.7.1) with ESMTP id PAA15468; Tue, 29 Oct 1996 15:13:04 -0500
Received: from yktvmv.watson.ibm.com (yktvmv.watson.ibm.com [9.117.33.29]) by mailhub2.watson.ibm.com (8.7.1/10-26-96) with SMTP id PAA35192; Tue, 29 Oct 1996 15:12:52 -0500
Message-Id: <199610292012.PAA35192@mailhub2.watson.ibm.com>
Received: from YKTVMV by yktvmv.watson.ibm.com (IBM VM SMTP V2R3) with BSMTP id 9906; Tue, 29 Oct 96 15:12:50 EST
Date: Tue, 29 Oct 1996 14:48:31 -0500
To: sommerfeld@apollo.hp.com, rja@cisco.com
cc: ipsec@TIS.COM
Subject: allocation of key material into keys
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Ref: Your note of Mon, 28 Oct 1996 15:29:06 -0500 (attached) sommerfeld at apollo.hp.com writes: > I'd like to propose that the key management protocol > specifications only be responsible for generating a "blob" of > key material at least N bits long containing at least K bits of > entropy. For obvious reasons, K <= N. > The word "entropy" may be confusing. The important factor is the cryptographic strength of the keys. Even if a key may have a lot of random bits used for its creation (like a DH key) its strength depends on the actual algorithms that we know for attacking that key (and its uses). For example, in the case of DH keys based on primes of 1024 bit length the strength is between 90-100 bits (in the sense that current attacks on DH or discrete log take in the order of 2^90-2^100 operations). Hugo PS: just as a remark, the entropy of a DH key g^xy is 0 given that the components g^x and g^y are public and uniquely determine g^xy.