Uri Blumenthal <uri(_at_)watson(_dot_)ibm(_dot_)com> writes:
I agree with Ian that RSA should be left in for non-US implementors
who don't have to worry about patents. For us the concern is
getting people to use the implementation, people have heard of, and
trust, RSA, people can sometimes be persuaded to use DSA, but noone
outside the crypto/security community has ever heard of Elgamal, and
it's going to be a tough job going to someone who barely knows how
to spell RSA and convincing them to use a different algorithm
they've never heard of before.
I disagree with Peter grossly here.
Somebody who trusts RSA because he understands how it works, will
trust El-Gamal for the same reason. Somebody who trusts RSA
because the vendor who he believes, told him RSA is good,
will trust El-Gamal for the same reason.
You are missing possibly the largest group -- they have heard of RSA,
and want it. This is what Peter was saying, and it reflects my
experience also. RSA is a digital signature standard I think for some
European standardisation efforts. I think there are CEN standards on
using RSA as a digital signature algorithm for medics. Certainly the
standards stuff I've been involved with has stuck to RSA, PKCS#7, and
X.509.
An argument against the CESGs attempted foisting of (DH based) CASM
(or new PR name CLOUD COVER) put forward was that it was contrary to
European standardisation which the medics were bound by European
law/agreement to use. (Course the real reason they didn't like CASM
was because it was a key escrow system, and the medics couldn't see
the case for "national security" back door access to medical
information -- that and that it was packaged up with top sikrit CESG
(UK spook agency) designed algorithm Red Pike (also commonly known
amongst detractors as `red herring;.)
USA developers won't care after the autumn of 2000. Then people can go
back to worrying about advances in factoring as well as attacks on random
numbers.
Still, I'd prefer El-Gamal over Elliptic Curve if I can have my say.
In addition, I'd rather carry 300-bit key for ECC, that 2024-bit for
RSA... 'nuff...
If you want tried and tested (re your comments about 3DES, with which
I agree), that's RSA or EG, but _not_ EC.
Anyway I'm not arguing... seems to be that what others suggested is
good:
MUST: 3DES, EG, DSA, SHA1
SHOULD/MAY: IDEA, CAST5, RSA, MD5, MD2
Unencumbered is important. So is backwards compatibility, which rates
a SHOULD for those algorithms necessary for backwards compatibility
(IDEA, RSA, MD5) in my opinion.
MD2, CAST5, Blowfish perhaps as MAYs.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`