[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] The use of AES-192 and AES-256 in Secure RTP

From: Jon Callas <jon at callas.org>
To: David McGrew <mcgrew at cisco.com>
Cc: saag at mit.edu, ietf-rtpsec at imc.org, AVT <avt at ietf.org>
Date: Thu, 4 May 2006 10:51:41 -0700
In-reply-to: <C8D173D1-E0F6-445C-8AD2-E1A0996F86F7 at cisco.com>
References: <A9ACC159-C642-43D4-9DB1-FD2889543814 at cisco.com> <6.2.5.6.2.20060502093853.058c5948 at qualcomm.com> <BB6DC445-D3B5-4BF3-84A9-E0975CDAB812 at cisco.com> <6.2.5.6.2.20060502145206.05a6e4f8 at qualcomm.com> <p06230903c07ed0aaf750 at [10.81.115.240]> <5ABD5019-6481-45A1-A981-4BE362E190F8 at cisco.com> <p06230900c07fc0bf3d07 at [10.81.115.240]> <C8D173D1-E0F6-445C-8AD2-E1A0996F86F7 at cisco.com>

I agree with the assessment that there's no security need forAES-256. Until we get quantum computers or something like them, 128bits are enough. However, there are trends that make it so thatAES-256 is now the norm, regardless of what we think. Here are anumber of reasons:

* The intelligent-but-naive populace will think that 256 is betterthan 128. Bigger is better. The intelligent-but-paranoid crowd whovaguely remember the crypto wars are often convinced that 128-bits isnow "exportable" (meaning easily breakable by efforts similar toDeepCrack). I talk to these people all the time. Yes, they exist. Inshort, customers respond positively to the use of 256-bit keys.

* Suite B, which specifies 192/256 for top secret data reinforces theabove. After all, if the government recommends 128 for secret data,and 256 for top secret, what's good for them is good for me.

* AES-256 is 20%-ish slower than AES-128. In real-world systems, thisends up being far less. I did a bit of googling as I composed this tolook for charts and numbers. You can, too. But look at <http://www.psc.edu/networking/projects/hpn-ssh/theory.php> which has nicecharts of a variety of ciphers in SCP/SSH performance. In short, the*cost* of implementing AES-256 is low.

The effect of these together is that the costs of 256 bit keys arelow, the benefits in marketing, perception, and merely being seen asup-to-date are high. You can also denigrate those who are notoffering 256.

That's why you're seeing it. These aren't security reasons, they'rehuman reasons.

Jon

References:
- [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: David McGrew
- Re: [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: Lakshminath Dondeti
- Re: [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: David McGrew
- Re: [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: Lakshminath Dondeti
- Re: [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: Stephen Kent
- Re: [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: David McGrew
- Re: [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: Stephen Kent
- Re: [saag] The use of AES-192 and AES-256 in Secure RTP
  - From: David McGrew

Prev by Date: Re: [saag] The use of AES-192 and AES-256 in Secure RTP
Next by Date: Re: [saag] The use of AES-192 and AES-256 in Secure RTP
Previous by thread: Re: [saag] The use of AES-192 and AES-256 in Secure RTP
Next by thread: Re: [saag] The use of AES-192 and AES-256 in Secure RTP
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.