[Top] [All Lists]

Re: ECC in OpenPGP proposal

2008-02-29 06:12:14

Jon Callas wrote:

OK, if you are happy to carry on this discussion ... what are the
reasons for including the 128-bit profile?
assuming the may -> whatever chain above holds, what about:

MAY implement ECC
 o MUST implement AES256-SHA384-384ECC
 o SHOULD implement AES128-SHA256-256ECC
 o MAY implement AES256-SHA512-521ECC
   [and/or any other combinations, but these might be "unbalanced"]

I think you have the polarity wrong.

AES256-SHA512-521ECC is desirable because it's the most secure.

AES128-SHA256-256ECC is desirable because it's fast, and it's what is most likely to be in constrained environments.

AES256-SHA384-384ECC (which I think should actually be AES192- SHA384-384ECC), is slow and not as secure. It's neither fish nor fowl.

However, for completeness, eliminating it is likely not wise. As much as I sneer at NIST's fondness for 192-bit security (especially when it runs at the same speed as 256-bit security), it's foolish to eliminate it from the spec. That's the sort of thing that might bite us in the ass years from now. The probability that I'll get a cogent, enlightening explanation of why 192-bit security is a Good Thing is directly proportional to the probability of our excluding it.

OK, so Jon argues that the market forces will push a full set of profiles, regardless of the damage done to security. OK, I accept that, it's a devil's choice. Do we work with the "best practices" mafia or do we try and meet the needs of the real users who just want the darned stuff to boot up and work?

If there are going to be 2 profiles, then there may as well be all 3. There is no real saving between 2 and 3.

So the remaining question would be, what are the recommendations?

If we are including the "mobile" profile of 128, then it makes no sense to me to say that any other profile is a MUST ... because then the mobile guys will have to implement the stronger ones to get the gold star. Which they won't use or want because it's too slow.

Which would mean that only the mobile profile is a MUST and the other two are lesser? So I see:

MAY implement ECC
   o MUST implement   AES128-SHA256-256ECC   (mobile)
   o SHOULD implement AES256-SHA512-521ECC   (strong)
   o MAY implement    AES256-SHA384-384ECC   (pretty)


PS: mobile above includes smartcards and HSMs, it's just a label for those who want "fast" not pareto-complete.

<Prev in Thread] Current Thread [Next in Thread>