IETF Logo Mail Archive

Re: [TLS] Comparative cipher suite strengths

"Blumenthal, Uri" <uri@ll.mit.edu> Sun, 03 May 2009 15:42 UTC

Return-Path: <uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19C743A6989 for <tls@core3.amsl.com>; Sun, 3 May 2009 08:42:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.813
X-Spam-Level:
X-Spam-Status: No, score=-4.813 tagged_above=-999 required=5 tests=[AWL=-1.416, BAYES_50=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8o6iErV6oy4 for <tls@core3.amsl.com>; Sun, 3 May 2009 08:42:16 -0700 (PDT)
Received: from ll.mit.edu (LLMAIL1.LL.MIT.EDU [129.55.12.41]) by core3.amsl.com (Postfix) with ESMTP id C005D3A6B2A for <tls@ietf.org>; Sun, 3 May 2009 08:42:16 -0700 (PDT)
Received: (from smtp@localhost) by ll.mit.edu (8.12.10/8.8.8) id n43FhQ37012486 for <tls@ietf.org>; Sun, 3 May 2009 11:43:26 -0400 (EDT)
Received: from lle2k7-hub01.llan.ll.mit.edu( ), claiming to be "LLE2K7-HUB01.mitll.ad.local" via SMTP by llpost, id smtpdAAA7Ra4py; Sun May 3 11:42:51 2009
Received: from LLE2K7-BE01.mitll.ad.local ([ ]) by LLE2K7-HUB01.mitll.ad.local ([ ]) with mapi; Sun, 3 May 2009 11:42:51 -0400
From: "Blumenthal, Uri" <uri@ll.mit.edu>
To: "tls@ietf.org" <tls@ietf.org>
Date: Sun, 03 May 2009 11:42:49 -0400
Thread-Topic: [TLS] Comparative cipher suite strengths
Thread-Index: AcnLCjRusRp8GW8nS3uxlnpkePF4OQA+5teS
Message-ID: <C62333B9.44AA%uri@ll.mit.edu>
In-Reply-To: <E1M0Bi4-0006y0-6o@wintermute01.cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C62333B944AAurillmitedu_"
MIME-Version: 1.0
Subject: Re: [TLS] Comparative cipher suite strengths
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2009 15:42:24 -0000

While this certainly makes a nice tea-table story, I question the "historical truthfulness" of it.

YOU may need to explain things to YOUR customers (and make them understand), lest they feel mistreated and go to another vendor. I don't think USG agencies have the same luxury of choosing their own crypto policy provider and product approver! The pressure usually is applied the other way (the "other" agency says "we want/need this", and the "crypto" branch responds "nonetheless you shall use that, and we cannot reveal to you why").

P.S. AES competition had entries with variable key sizes, I think up to 512 bits. Did it look bad - selecting an algorithm with lower maximum key length? No agency complained loud enough for us to hear, I guess?

P.P.S. If you choose so, you can define AES with independent subkeys, using PRNG to generate keys for each round from a given seed of any length you select (say 302 bits?).  :-)

P.P.P.S. KGB's encryption standard - "GOST" - was released in 1981 or 1983 (internally!) for "sensitive but unclassified" data and had 256-bit key. Design allowed independent subkeys of 512 bits (if memory serves me). And that's on a 64-bit block cipher...


On 5/2/09  05:40 , "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote:

Bill Frantz <frantz@pwpconsult.com> writes:

>When I think of the reasons that NSA/DOD could have for requiring AES-128 for
>secret and AES-192 for top secret, I think they may be looking at the whole
>cryptographic system.

They're also looking at the whole political system.  During a discussion among
crypto geeks some years ago someone from some branch of the USG involved with
crypto said that they were under a lot of pressure from govt-agency consumers
of crypto who were used to commercial products with keys that went up to 10,
11, and 12.  Having a single key size of (say) 128 bits would look bad when
those same govt-agency consumers could go out and buy commercial products that
were obviously stronger than the proposed government standard because they had
larger numbers behind the algorithm name.  So although there wasn't any
immediate technical reason to use larger keys, if there wasn't a capability in
AES for keys to go to 11 or 12 then it would look bad compared to non-govt-
approved crypto.

I don't know how much influence that had on the final decision, but given the
choice between having to explain for the rest of my life to one govt.agency
after another that 128 bits is good enough, and simply letting them choose
keys that go to 11 if it makes them feel better, I know which one I'd choose.

Peter.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


--
Regards,
Uri
<Disclaimer>

v2.23.0 | Report a Bug | By Email