Re: [sasl] MOGGIES Proposed Charter

Tom Yu <tlyu@MIT.EDU> Fri, 21 May 2010 22:43 UTC

Return-Path: <tlyu@mit.edu>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F1F23A6A59; Fri, 21 May 2010 15:43:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.867
X-Spam-Level:
X-Spam-Status: No, score=-0.867 tagged_above=-999 required=5 tests=[AWL=-0.868, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NpDtg10-ILUk; Fri, 21 May 2010 15:43:45 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU [18.7.68.36]) by core3.amsl.com (Postfix) with ESMTP id 02C1E3A6942; Fri, 21 May 2010 15:43:44 -0700 (PDT)
X-AuditID: 12074424-b7b9dae000002832-1e-4bf70c9af6bc
Received: from mailhub-auth-1.mit.edu (MAILHUB-AUTH-1.MIT.EDU [18.9.21.35]) by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with SMTP id 65.0A.10290.A9C07FB4; Fri, 21 May 2010 18:43:38 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id o4LMhblE031336; Fri, 21 May 2010 18:43:37 -0400
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id o4LMhZgV020165 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 21 May 2010 18:43:36 -0400 (EDT)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id o4LMhZ5Q004255; Fri, 21 May 2010 18:43:35 -0400 (EDT)
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Subject: Re: [sasl] MOGGIES Proposed Charter
References: <20100518191521.GL9429@oracle.com> <201005202238.o4KMcML6028897@fs4113.wdf.sap.corp> <20100520225647.GX9605@oracle.com>
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 21 May 2010 18:43:35 -0400
In-Reply-To: <20100520225647.GX9605@oracle.com> (Nicolas Williams's message of "Thu, 20 May 2010 17:56:47 -0500")
Message-ID: <ldvy6fc3mg8.fsf@cathode-dark-space.mit.edu>
Lines: 31
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Brightmail-Tracker: AAAAAA==
Cc: kitten@ietf.org, tim.polk@nist.gov, sasl@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2010 22:43:46 -0000

Nicolas Williams <Nicolas.Williams@oracle.com> writes:

> On Fri, May 21, 2010 at 12:38:22AM +0200, Martin Rex wrote:
>
>> What changes over time is the amount of "strength" that one considers
>> secure.  
>
> Not only.  Cryptanalysis progresses and the relative strengths of
> various algorithms can vary.
>
> I abhor anything remotely like a quantification of cryptographic
> strength, and will for the forseeable future.

The meaning of "security strength" can be made fairly precise by
definitions involving, for example, the base 2 logarithm of the time
or space complexity of attacking an algorithm, e.g., NIST SP 800-57,
Part 1, Section 5.6.1.  That text gives the example of three-key
triple DES, which has 168 bits of key material and has 112 bits of
effective security strength.

Yes, this means that you may have to revise the numeric "security
strength" that you report for a given cryptographic association as new
cryptanalytic attacks are discovered, but you would have to do that
anyway with a non-numeric method of reporting "security strength".

As I understand it, defeating an algorithm with a security strength of
128 bits approaches or exceeds reasonable information-theoretic bounds
on the computational capacity of the universe, unless you consider
quantum computing to be a credible threat.  I expect that the amount
of "strength" that we consider secure is unlikely to change unless
tremendous advances occur in the realm of quantum computing.