[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AES cipher suites

To: Charlie_Kaufman@xxxxxxxxxxxxxxxx, ipsec@xxxxxxxxxxxxxxxxx
Subject: AES cipher suites
From: Black_David@xxxxxxx
Date: Thu, 9 Jan 2003 14:51:34 -0500
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Charlie,

> It also includes only a single option for cipher suites. There is
> general agreement that we need more, but I need concrete proposals
> on what they should be. Currently specified is:
> 
> 1536-bit Diffie-Hellman; 112-bit 3DES CBC; HMAC-SHA1; ESP.
> 
> People have advocated something with a smaller D-H group for performance,
> something with a bigger D-H group for security, 128 bit AES (is that CBC
> mode, counter mode, or do we need both?).

On behalf of the IP Storage (ips) folks who are depending on AES
counter mode, I want to make a strong request for specification of
*both* an AES-CBC suite and an AES-CTR suite.  IPS's use of AES-CTR
is motivated by a desire to build high-speed hardware.  While AES-CTR
is the "right thing" for that class of implementation, I'm reluctant
to impose it on everyone who wants to use AES by not defining an
AES-CBC suite.  For ips's usage, AES-CTR does not need a smaller D-H
group, and going to a larger one seems reasonable given the
motivation to transfer large amounts of data at high speed.  While
I could live with suites that differed only in the D-H group, I'm
not going to propose them, so here are a couple of strawmen to get
started:

1536-bit Diffie-Hellman; 128-bit AES CBC; HMAC-SHA1; ESP.
2048-bit Diffie-Hellman; 128-bit AES CTR; HMAC-SHA1; ESP.

The 2048 bit D-H is still weaker than 128 bit AES, but I'm
reluctant to go to the 3072 bit group that would bring
them closer, since concerns are already being expressed
about the overhead of the 1536-bit group.  That can wait until
there's a realistic need to resist things like O(2^100) attacks.

Q: Should AES suites with AES-CBC MAC + XCBC be defined as a
	backstop against the unlikely event that a disastrous
	attack on HMAC-SHA1 turns up?

AES-CBC MAC + XCBC is the backup MAC algorithm for IP Storage
("SHOULD implement" in the ips drafts).

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953 **NEW**     FAX: +1 (508) 293-7786
black_david@xxxxxxx        Mobile: +1 (978) 394-7754
----------------------------------------------------

Follow-Ups:
- Re: AES cipher suites
  - From: Uri Blumenthal
- Re: AES cipher suites
  - From: David Wagner
- Re: AES cipher suites
  - From: Michael Richardson

Prev by Date: ike2 v4 couple of comments
Next by Date: Re: a change to the signature processing in IKEv2
Previous by thread: ike2 v4 couple of comments
Next by thread: Re: AES cipher suites
Index(es):
- Date
- Thread