Re: [TLS] Proposed text for IDEA/DES document

To: <tls at ietf.org>
Subject: Re: [TLS] Proposed text for IDEA/DES document
From: <Pasi.Eronen at nokia.com>
Date: Fri, 8 Feb 2008 14:16:14 +0200
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <20080207060217.4ec02667 at cs.columbia.edu>
List-archive: <http://www.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <B356D8F434D20B40A8CEDAEC305A1F240536CDD3 at esebe105.NOE.Nokia.com><Pine.LNX.4.58.0802051421310.19741 at thetis.deor.org><B356D8F434D20B40A8CEDAEC305A1F240539A72D at esebe105.NOE.Nokia.com><20080207021022.GA7770 at tau.invalid> <47AA9CEF.5010605 at pobox.com> <20080207060217.4ec02667 at cs.columbia.edu>
Sender: tls-bounces at ietf.org
Thread-index: AchpTwXZRdEkiIddQ/qMpj1paNOiTAA/HMIg
Thread-topic: [TLS] Proposed text for IDEA/DES document

Here's an update to the text proposal, incorporating many of 
the comments received so far:

N.  Security Considerations

N.1.  DES Cipher Suites

   DES has an effective key strength of 56 bits, which has been been
   known to be vulnerable to practical brute force attacks for over 20
   years [DH].  A relatively recent 2006 paper by Kumar et al.  [COPA]
   describes a system which performs exhaustive key search in less than
   nine days on average, and costs less than 10,000 USD to build.

   Given these, the single-DES cipher suites SHOULD NOT be implemented
   by TLS libraries.  If a TLS library implements these cipher suites,
   it SHOULD NOT enable them by default.  Experience has also shown that
   rarely used code is a source of security and interoperability
   problems, so existing implementations SHOULD consider removing these
   cipher suites.

N.2.  IDEA Cipher Suites

   IDEA has a 128-bit key, and thus is not vulnerable to exhaustive key
   search.  However, IDEA cipher suites for TLS have not seen widespread
   use: most implementations either do not support them, do not enable
   them by default, or do not negotiate them when other algorithms (such
   as AES, 3DES, or RC4) are available.

   Experience has shown that rarely used code is a source of security
   and interoperability problems; given this, the IDEA cipher suites
   SHOULD NOT be implemented by TLS libraries, and SHOULD be removed
   from existing implementations.  If a TLS library implements these
   cipher suites, it SHOULD NOT enable them by default.

   (To be determined: should we include text speculating why IDEA has
   been rarely used, including e.g. reasons mentioned on the list so
   far?  This would include at least IPR, performance in software, short
   block size, and lack of government approval in many countries.)

The last paragraph of IDEA text obviously needs work (if we choose
to include some of those reasons), and we need to be careful to
distinguish facts (where everyone agrees) and personal opinions
(and in worst case, FUD). 

Comments?

Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at ietf.org
http://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Proposed text for IDEA/DES document
  - From: Bodo Moeller
- Re: [TLS] Proposed text for IDEA/DES document
  - From: Blumenthal, Uri

References:
- Re: [TLS] Proposed text for IDEA/DES document
  - From: Pasi.Eronen
- Re: [TLS] Proposed text for IDEA/DES document
  - From: Bodo Moeller
- Re: [TLS] Proposed text for IDEA/DES document
  - From: Mike
- Re: [TLS] Proposed text for IDEA/DES document
  - From: Steven M. Bellovin

Prev by Date: Re: [TLS] Proposed text for IDEA/DES document
Next by Date: Re: [TLS] Proposed text for IDEA/DES document
Previous by thread: Re: [TLS] Proposed text for IDEA/DES document
Next by thread: Re: [TLS] Proposed text for IDEA/DES document
Index(es):
- Date
- Thread

Re: [TLS] Proposed text for IDEA/DES document

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.