[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: speaking of keys
At 3:23 PM -0500 12/6/02, Michael Richardson wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>>>>>> "The" == The Purple Streak, Hilarie Orman <ho@alum.mit.edu> writes:
> The> You only get about 80 bits of strength from a 1024-bit DH
>group. That
> The> seems insufficient for reasonable paranoids.
>
> Yes.
> I'd like to see the 1536 group ("group 5", still in ID queue) as a MUST
>in IKEv2, and I'd like to see the next larger group given a SHOULD.
>
> (group 5 is spec'ed as MUST for FreeSWAN-style Opportunistic Encryption,
>to support 3DES)
>
> It is very important that we spec something, and that we also suggest where
>the failover direction is.
Well, I have been corrected re the entropy confusion by David's
recent message, but why go all the way to 1536? Isn't there an
intermediate group size that would be reasonable for those who insist
on more than 1024, say something i the 1200 bit range?
Also, let's remember that the key size is not the only factor in
determining the security of these systems. It's tempting to raise
the bar on key size to make sure it is not the weakest link, and I
appreciate that. But we also run the risk of driving people away due
to the performance hit. Frankly, the worst case here might be a
software implementation on a user WS/laptop where there are lots more
likely ways that the security of the traffic will be compromised
(other than solving the discrete log problem for a 1024-bit group)
and where the performance hit will be most visible and thus may
eventually motivate an individual to NOT use IPsec at all.
I don't have a problem with a MAY for bigger groups, but I really
think it is most appropriate to focus on the management facility to
allow user communities to select their own, of whatever size they
feel is appropriate.
Steve