To: "Gideon Avida" <gideon@decru.com> Cc: "Ralph Weber" <roweber@IEEE.org>, t10@t10.org Subject: RE: 256-bit vs 512-bit strength security From: Kevin D Butt <kdbutt@us.ibm.com> Date: Fri, 14 Sep 2007 10:38:58 -0700 X-Message-Number: 8074 Formatted message: HTML-formatted message Gideon, As for the RAND statement (and I'm not implying that it is or isn't necessary): since ietf has been able to receive such statements, it seems that there's a good chance that T10 could too... Is an argument that is invalid. Until such time that a RAND statement is received by T10 it does not matter if any other standards body has received a statement or not because T10 is not covered by it and it does not exists for T10. T10 must assume that it will not receive one. Thanks, Kevin D. Butt SCSI & Fibre Channel Architect, Tape Firmware MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744 Tel: 520-799-2869 / 520-799-5280 Fax: 520-799-2723 (T/L:321) Email address: kdbutt@us.ibm.com http://www-03.ibm.com/servers/storage/ "Gideon Avida" <gideon@decru.com> 09/14/2007 09:54 AM To Kevin D Butt/Tucson/IBM@IBMUS cc "Ralph Weber" <roweber@IEEE.org>, <t10@t10.org> Subject RE: 256-bit vs 512-bit strength security Kevin, Whether or not the NSA document support's the argument about IP depends on how you interpret "the intellectual property environment surrounding elliptic curves". One should wonder why they didn't use the word "covering". As for the RAND statement (and I'm not implying that it is or isn't necessary): since ietf has been able to receive such statements, it seems that there's a good chance that T10 could too... Even if you only focus on government agencies, we still believe that there is a need for 256 bit secure products. Since we seem to be entrenched in our positions, maybe we should reconsider the merits of mandating support for any crypto suite... Cheers, Gideon From: Kevin D Butt [mailto:kdbutt@us.ibm.com] Sent: Thursday, September 13, 2007 5:40 PM To: Gideon Avida Cc: owner-t10@t10.org; Ralph Weber; t10@t10.org Subject: RE: 256-bit vs 512-bit strength security Gideon, Your link below supports the argument about IP. Quoted from the article: "Despite the many advantages of elliptic curves and despite the adoption of elliptic curves by many users, many vendors and academics view the intellectual property environment surrounding elliptic curves as a major roadblock to their implementation and use. " A close reading on this section about IP will show that unless you are " limited to implementations that were for national security uses " then you must license at least 26 of the patents held by the referenced company. Without a Reasonable and Non-Descriminatory statement from those that hold the IP, then all would be held to getting licenses from a company - potentially your competitor - under terms that do not meet RAND. In fact, there is no guarantee that you could even license that IP. The other point to argue, the statement "We've found that many non-government customers refer to these documents for guidance" is the assertion of what your customers may be stating. I don't know if the customers to whom you are referring is isolated to your customers only or to customers of a few companies. However, I do know that I have not heard any of our customers making this statement. Just because one companies or a few companies need to support something for their customers should not require that all other companies should be forced to support that to be compliant with the standards. This is why there are optional values allowed. We mandate what can be supported by all companies and make the rest optional. In this case, there is the IP issue that is a road block to some companies and there is also a lack of need by either those same companies or a different set of companies. They meet their needs by using the 128 bit strength algorithms. Thanks, Kevin D. Butt SCSI & Fibre Channel Architect, Tape Firmware MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744 Tel: 520-799-2869 / 520-799-5280 Fax: 520-799-2723 (T/L:321) Email address: kdbutt@us.ibm.com http://www-03.ibm.com/servers/storage/ "Gideon Avida" <gideon@decru.com> Sent by: owner-t10@t10.org 09/13/2007 01:03 PM To Kevin D Butt/Tucson/IBM@IBMUS cc "Ralph Weber" <roweber@IEEE.org>, <t10@t10.org> Subject RE: 256-bit vs 512-bit strength security Hi Kevin, Since I'm not sure how navigate this minefield, I'll just point to another NSA document: http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm Thanks, Gideon From: Kevin D Butt [mailto:kdbutt@us.ibm.com] Sent: Thursday, September 13, 2007 12:58 PM To: Gideon Avida Cc: Ralph Weber; t10@t10.org Subject: RE: 256-bit vs 512-bit strength security Thanks Gideon, I will also reiterate what I said in Colorado Springs, we cannot support as mandatory, items that fall under the IP of companies that do not make a RAND statement to T10 related to that IP. Thanks, Kevin D. Butt SCSI & Fibre Channel Architect, Tape Firmware MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744 Tel: 520-799-2869 / 520-799-5280 Fax: 520-799-2723 (T/L:321) Email address: kdbutt@us.ibm.com http://www-03.ibm.com/servers/storage/ "Gideon Avida" <gideon@decru.com> 09/13/2007 12:35 PM To Kevin D Butt/Tucson/IBM@IBMUS cc <t10@t10.org>, "Ralph Weber" <roweber@IEEE.org> Subject RE: 256-bit vs 512-bit strength security Hi Kevin (and everyone else...), As I said in Colorado Springs, this isn't about cryptography but rather about policies. For example, CNSS Policy No. 15, Fact Sheet No. 1 - National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information (http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf) says: The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The NSA took it further in Suite B (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) by specifying the algorithms to use for encryption (AES), digital signatures and key exchange (ECC based) and hashing (SHA). They also say there: "NSA has determined that beyond the 1024-bit public key cryptography in common use today, rather than increase key sizes beyond 1024-bits, a switch to elliptic curve technology is warranted." We've found that many non-government customers refer to these documents for guidance. We've also found that they prefer to not have to classify their information and to simplify things would like to use AES-256 to be on the safe side. They also like to use the same level security throughout the datacenter so they don't have to justify using lower levels of security in some areas of the datacenter to the auditors. Hope this helps the undecided crowd (and maybe convert a few from the 128 bit crowd...) Cheers, Gideon ________________________________ From: owner-t10@t10.org [mailto:owner-t10@t10.org] On Behalf Of Kevin D Butt Sent: Thursday, September 13, 2007 11:20 AM To: Ralph Weber Cc: owner-t10@t10.org; 't10@t10.org' Subject: Re: 256-bit vs 512-bit strength security All, I would like to share what Hugo Krawczyk, one of IBM's cryptographers has shared with me. << The 256-strength suite is total overkill. There is no need to use AES with 256-bit key today or SHA-512. Of course, the 128-bit suite may be broken next month (or in 5 years) but the same is possible for the 256-bit suite. Actually, who said 500-bit EC will not turn out to have only 128 bit of security in a breakthrough cryptanalysis in 5-10 years (or next month)? Given the information we have today, the 128-bit suite is good enough for almost all commercial applications. If you need security of your data for the next 50 years you may consider going to a stronger suite, but then (again) who said that the 256-bit will suffice? (for 50 year security I recommend sending it inside a physical safe :) The only reason I see now for going for a 256-bit suite is to promote ECC. That may or may not be a good idea, but it should be clear that that's the only relevant reason for this suite. Hugo >> Thanks, Kevin D. Butt SCSI & Fibre Channel Architect, Tape Firmware MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744 Tel: 520-799-2869 / 520-799-5280 Fax: 520-799-2723 (T/L:321) Email address: kdbutt@us.ibm.com http://www-03.ibm.com/servers/storage/ Ralph Weber <roweber@IEEE.org> Sent by: owner-t10@t10.org 09/12/2007 07:25 PM To "'t10@t10.org'" <t10@t10.org> cc Subject 256-bit vs 512-bit strength security * From the T10 Reflector (t10@t10.org), posted by: * Ralph Weber <roweber@ieee.org> * Reminder: On Wednesday afternoon in Vancouver, you will be asked to vote your company's position on a choice between mandating 256-bit strength security or 512-bit strength security in SPC-4. If you do not yet know your company's position, now would be a good time to start asking some embarrassing questions. All the best, .Ralph * * For T10 Reflector information, send a message with * 'info t10' (no quotes) in the message body to majordomo@t10.org