[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More AES suites (was: draft-ietf-ipsec-ikev2-04.txt)

To: Charlie_Kaufman@xxxxxxxxxxxxxxxx
Subject: More AES suites (was: draft-ietf-ipsec-ikev2-04.txt)
From: Black_David@xxxxxxx
Date: Mon, 13 Jan 2003 21:00:07 -0500
Cc: ipsec@xxxxxxxxxxxxxxxxx
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Charlie,

> > For ips's usage, AES-CTR does not need a smaller D-H
> > group, and going to a larger one seems reasonable given the
> > motivation to transfer large amounts of data at high speed.  While
> > I could live with suites that differed only in the D-H group, I'm
> > not going to propose them, so here are a couple of strawmen to get
> > started:
> >
> > 1536-bit Diffie-Hellman; 128-bit AES CBC; HMAC-SHA1; ESP.
> > 2048-bit Diffie-Hellman; 128-bit AES CTR; HMAC-SHA1; ESP.
> 
> There are separate suites for IKE SAs and for ESP SAs. The ESP SAs are the
> ones likely to be performance sensitive. What if the ESP SAs were:
> 
> 168-bit 3DES CBC; HMAC-SHA1; ESP w/o extended sequence numbers (for
> backwards compatibility)
> 128-bit AES CBC; HMAC-SHA1; ESP w/extended sequence numbers
> 128-bit AES CTR; HMAC-SHA1; ESP w/extended sequence numbers

That's a good start, but leaves the issue mentioned by several
people of what to do for AES CBC MAC w/XCBC.  That's interesting
as an alternative to an unlikely HMAC-SHA1 disastrous compromise
and for higher speed.  The following seems to be a good addition
for speed:

128-bit AES CTR; AES CBC MAC w/XCBC; ESP w/extended sequence numbers

and someone wanting to build only one and a fraction AES operating
modes will probably find this one attractive:

128-bit AES CBC; AES CBC MAC w/XCBC; ESP w/extended sequence numbers

as the AES CBC functional block can be built once and used twice.
If one believes that the previous 3 are needed, then this fourth
one makes sense.

OTOH, once "AES CTR; AES CBC MAC w/XCBC ..." exists, it's not
clear what the purpose of "AES CTR; HMAC-SHA1 ..." is,
as it's slower, and unlikely to help if something goes wrong
with the former mode, as the CBC MAC seems to be rather unlikely
to get disastrously compromised ... which sounds like a great
"famous last words" quote, so perhaps the right thing to do is
not over analyze/optimize this and just put in all 4 AES modes.

[... rest snipped ...]

I have no problem with going to extended sequence numbers for
all usage of AES.

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@xxxxxxx        Mobile: +1 (978) 394-7754
----------------------------------------------------

Follow-Ups:
- Re: More AES suites (was: draft-ietf-ipsec-ikev2-04.txt)
  - From: Paul Koning

Prev by Date: Re: AES cipher suites
Next by Date: Re: AES cipher suites
Previous by thread: I-D ACTION:draft-ietf-ipsec-ikev2-04.txt
Next by thread: Re: More AES suites (was: draft-ietf-ipsec-ikev2-04.txt)
Index(es):
- Date
- Thread