Re: [TLS] Comparative cipher suite strengths
"Blumenthal, Uri" <uri@ll.mit.edu> Sun, 03 May 2009 15:42 UTC
Return-Path: <uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19C743A6989 for <tls@core3.amsl.com>; Sun, 3 May 2009 08:42:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.813
X-Spam-Level:
X-Spam-Status: No, score=-4.813 tagged_above=-999 required=5 tests=[AWL=-1.416, BAYES_50=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8o6iErV6oy4 for <tls@core3.amsl.com>; Sun, 3 May 2009 08:42:16 -0700 (PDT)
Received: from ll.mit.edu (LLMAIL1.LL.MIT.EDU [129.55.12.41]) by core3.amsl.com (Postfix) with ESMTP id C005D3A6B2A for <tls@ietf.org>; Sun, 3 May 2009 08:42:16 -0700 (PDT)
Received: (from smtp@localhost) by ll.mit.edu (8.12.10/8.8.8) id n43FhQ37012486 for <tls@ietf.org>; Sun, 3 May 2009 11:43:26 -0400 (EDT)
Received: from lle2k7-hub01.llan.ll.mit.edu( ), claiming to be "LLE2K7-HUB01.mitll.ad.local" via SMTP by llpost, id smtpdAAA7Ra4py; Sun May 3 11:42:51 2009
Received: from LLE2K7-BE01.mitll.ad.local ([ ]) by LLE2K7-HUB01.mitll.ad.local ([ ]) with mapi; Sun, 3 May 2009 11:42:51 -0400
From: "Blumenthal, Uri" <uri@ll.mit.edu>
To: "tls@ietf.org" <tls@ietf.org>
Date: Sun, 03 May 2009 11:42:49 -0400
Thread-Topic: [TLS] Comparative cipher suite strengths
Thread-Index: AcnLCjRusRp8GW8nS3uxlnpkePF4OQA+5teS
Message-ID: <C62333B9.44AA%uri@ll.mit.edu>
In-Reply-To: <E1M0Bi4-0006y0-6o@wintermute01.cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C62333B944AAurillmitedu_"
MIME-Version: 1.0
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2009 15:42:24 -0000
While this certainly makes a nice tea-table story, I question the "historical truthfulness" of it. YOU may need to explain things to YOUR customers (and make them understand), lest they feel mistreated and go to another vendor. I don't think USG agencies have the same luxury of choosing their own crypto policy provider and product approver! The pressure usually is applied the other way (the "other" agency says "we want/need this", and the "crypto" branch responds "nonetheless you shall use that, and we cannot reveal to you why"). P.S. AES competition had entries with variable key sizes, I think up to 512 bits. Did it look bad - selecting an algorithm with lower maximum key length? No agency complained loud enough for us to hear, I guess? P.P.S. If you choose so, you can define AES with independent subkeys, using PRNG to generate keys for each round from a given seed of any length you select (say 302 bits?). :-) P.P.P.S. KGB's encryption standard - "GOST" - was released in 1981 or 1983 (internally!) for "sensitive but unclassified" data and had 256-bit key. Design allowed independent subkeys of 512 bits (if memory serves me). And that's on a 64-bit block cipher... On 5/2/09 05:40 , "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote: Bill Frantz <frantz@pwpconsult.com> writes: >When I think of the reasons that NSA/DOD could have for requiring AES-128 for >secret and AES-192 for top secret, I think they may be looking at the whole >cryptographic system. They're also looking at the whole political system. During a discussion among crypto geeks some years ago someone from some branch of the USG involved with crypto said that they were under a lot of pressure from govt-agency consumers of crypto who were used to commercial products with keys that went up to 10, 11, and 12. Having a single key size of (say) 128 bits would look bad when those same govt-agency consumers could go out and buy commercial products that were obviously stronger than the proposed government standard because they had larger numbers behind the algorithm name. So although there wasn't any immediate technical reason to use larger keys, if there wasn't a capability in AES for keys to go to 11 or 12 then it would look bad compared to non-govt- approved crypto. I don't know how much influence that had on the final decision, but given the choice between having to explain for the rest of my life to one govt.agency after another that 128 bits is good enough, and simply letting them choose keys that go to 11 if it makes them feel better, I know which one I'd choose. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls -- Regards, Uri <Disclaimer>
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- [TLS] Comparative cipher suite strengths Carl Young
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Simon Josefsson
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Michael.G.Williams
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Daniel Brown
- Re: [TLS] Comparative cipher suite strengths Paul Hoffman
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Michael D'Errico
- Re: [TLS] Comparative cipher suite strengths carlyoung
- Re: [TLS] Comparative cipher suite strengths Florian Weimer
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Vipul Gupta
- Re: [TLS] Comparative cipher suite strengths Nicolas Williams
- Re: [TLS] Comparative cipher suite strengths Robert Relyea
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Bill Frantz
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Blumenthal, Uri
- Re: [TLS] Comparative cipher suite strengths Jeffrey A. Williams
- Re: [TLS] Comparative cipher suite strengths Martin Rex
- Re: [TLS] Comparative cipher suite strengths Eric Rescorla
- Re: [TLS] Comparative cipher suite strengths Peter Gutmann
- Re: [TLS] Comparative cipher suite strengths Dean Anderson
- Re: [TLS] Comparative cipher suite strengths Steven M. Bellovin