Re: additional core draft nits in need of WG attention.

[nisse%lysator.liu.se@localhost (Niels Möller)]

Bill Sommerfeld <sommerfeld%east.sun.com@localhost> writes:

> > >6.  Section 4.3, second paragraph. The document says: "...effective key
> > >length of 128 bits or more". Yet, Triple-DES is the REQUIRED algorithm,
> > >and it does not meet this goal.  Suggestion: "...effective key length of
> > >96 bits or more".
> 
> so, this is a "how do we count the bits" issue.  three-key triple-des
> is under some circumstances vulnerable to a particular attack which
> takes 2^112 time and 2^112 storage.  It is not clear to me whether
> this particular attack is possible against 3des as used by SSH.

Is it out of the question to say "SHOULD have effective key length of
128 or more", and just note somewhere (DES description, or security
considerations) that there's a known 2^112 attack on des3?

If someone discovers a 2^112 attack (with huge storage requirements)
on some other supposedly 128-bit cipher, what would we do? Probably
note it in the security considerations, and try to add some better
cipher to the list.

> Do we:
> 	- Lower the recommended limit?  (to what? 96 bits? 112 bits?)
> 	- Explicitly grandfather triple-des?
> 	- Make AES REQUIRED?

Making aes required seems fine to me, although I'm not sure how that
solves the problem. I don't think we can deprecate des3 at this time,
it's too early to say that aes is more secure than des3.

/Niels