From: Larry.Hofer@emulex.com
Subject: RE: 256-bit vs 512-bit strength security
Date: Sun, 16 Sep 2007 18:42:49 -0400
To: <Black_David@emc.com>
Cc: <t10@t10.org>, <Larry.Hofer@emulex.com>
X-Message-Number: 8085
Formatted message: HTML-formatted message

David,
Thank you for the explanation. It would leave a reader to wonder why the
discrepancy in one column over the other (521bit or 384 bit curve).
A note of explanation (perhaps referencing NIST guideance) may help
avoid similar letter ballot comments (i.e. was it deliberate or an
error) when the time comes. Not the biggest thing to worry about at the
moment...
Larry
  _____  
From: Black_David@emc.com [mailto:Black_David@emc.com] 
Sent: Sunday, September 16, 2007 3:22 PM
To: Hofer, Larry
Cc: t10@t10.org
Subject: RE: 256-bit vs 512-bit strength security
Larry,
> Also, it appears that in 06-449r8 there could be an error in the 128
bit column. It seems to match
> the 800-57 documents' 112 bit column more closely. The attached doc
shows the equivalent strengths
> for various algorithms from SP 800-57. I believe 3072 is required for
DH/RSA 128 bit equivalency,
> correct?
You are correct about NIST's characterization of the strengths, but this
is deliberate.	The 
2048 bit DH/RSA size was chosen deliberately, for reasons that include
NIST's statement
(in the NIST document that you cited) that it should be  adequate until
2030 for unclassified
usage.	The execution cost difference between 2048 and 3072 can be
significant, and my
hope is that by 2048 will make a sufficient level of security feasible
for more implementations.
The primary reason that column is labeled with 128 bit strength is its
use of 128-bit AES
keys - the overall strength of the suite is the strength of its weakest
element, which would
be the approximately 112 bit strength (according to NIST) of the DH/RSA
2048 bit algorithms.
Based on the feedback I received from RSA, I would have used the 384-bit
elliptic curve in
the 256-bit column, but Gideon objected for reasons he will have to
explain, as NSA cannot
be cited as a justification for use of the 521-bit curve that is in that
column.
I intend to vote for the 128-bit suite as more than adequate as a
minimum requirement
for reasons I will explain in a separate message, but as an author of
the proposal, in
specifying the 256-bit suite I have deferred to Gideon as the principle
visible advocate
of 256-bit strength across the board.  Gideon will have to explain why
he wants T10's
minimum requirements to exceed NSA's most stringent requirements (NSA
suite B
does not include the 521-bit curve), because I cannot even begin to
justify this position.
Thanks,
--David
  _____  
	From: owner-t10@t10.org [mailto:owner-t10@t10.org] On Behalf Of
Larry.Hofer@emulex.com
	Sent: Friday, September 14, 2007 12:14 PM
	To: kdbutt@us.ibm.com; gideon@decru.com
	Cc: owner-t10@t10.org; roweber@IEEE.org; t10@t10.org;
Bob.Nixon@emulex.com; Bill.Martin@emulex.com
	Subject: RE: 256-bit vs 512-bit strength security
	I prefer to have the standard mandate unencumbered methods when
they are reasonable alternatives readily available. It appears to me
that more implementations could be compliant by mandating the 128 bit
strength.  A note could be added to capture concerns for more stringent
requirements in some environments. It is unfortunate that the vote is
going to drag into the debate not only the strengths, but also the
algorithms.
	In 800-57, it specs (for unclassified applications):
	min. 80 bits until year 2010
	min. 112 bits until year 2011 to 2030
	min. 128 bits thereafter
	Also, it appears that in 06-449r8 there could be an error in the
128 bit column. It seems to match the 800-57 documents' 112 bit column
more closely. The attached doc shows the equivalent strengths for
various algorithms from SP 800-57. I believe 3072 is required for DH/RSA
128 bit equivalency, correct?
	Regards,
	Larry Hofer
	Office of Technology, Emulex
  _____  
	From: owner-t10@t10.org [mailto:owner-t10@t10.org] On Behalf Of
Kevin D Butt
	Sent: Thursday, September 13, 2007 6:40 PM
	To: Gideon Avida
	Cc: owner-t10@t10.org; Ralph Weber; t10@t10.org
	Subject: RE: 256-bit vs 512-bit strength security
	Gideon, 
	Your link below supports the argument about IP. 
	Quoted from the article: 
	"Despite the many advantages of elliptic curves and despite the
adoption of elliptic curves by many users, many vendors and academics
view the intellectual property environment surrounding elliptic curves
as a major roadblock to their implementation and use. " 
	A close reading on this section about IP will show that unless
you are "limited to implementations that were for national security uses
" then you must license at least 26 of the patents held by the
referenced company. 
	Without a Reasonable and Non-Descriminatory statement from those
that hold the IP, then all would be held to getting licenses from a
company - potentially your competitor - under terms that do not meet
RAND.  In fact, there is no guarantee that you could even license that
IP. 
	The other point to argue, the statement "We've found that many
non-government customers refer to these documents
	for guidance" is the assertion of what your customers may be
stating.  I don't know if the customers to whom you are referring is
isolated to your customers only or to customers of a few companies.
However, I do know that I have not heard any of our customers making
this statement.  Just because one companies or a few companies need to
support something for their customers should not require that all other
companies should be forced to support that to be compliant with the
standards.  This is why there are optional values allowed.  We mandate
what can be supported by all companies and make the rest optional.  In
this case, there is the IP issue that is a road block to some companies
and there is also a lack of need by either those same companies or a
different set of companies.  They meet	their needs by using the 128 bit
strength algorithms. 
	Thanks, 
	Kevin D. Butt
	SCSI & Fibre Channel Architect, Tape Firmware
	MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
	Tel: 520-799-2869 / 520-799-5280
	Fax: 520-799-2723 (T/L:321)
	Email address: kdbutt@us.ibm.com
	http://www-03.ibm.com/servers/storage/ 
"Gideon Avida" <gideon@decru.com> 
Sent by: owner-t10@t10.org 
09/13/2007 01:03 PM 
To
Kevin D Butt/Tucson/IBM@IBMUS 
cc
"Ralph Weber" <roweber@IEEE.org>, <t10@t10.org> 
Subject
RE: 256-bit vs 512-bit strength security	
	Hi Kevin, 
	Since I'm not sure how navigate this minefield, I'll just point
to another NSA document:
http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm
<http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm>;  
	Thanks, 
	Gideon 
  _____  
	From: Kevin D Butt [mailto:kdbutt@us.ibm.com] 
	Sent: Thursday, September 13, 2007 12:58 PM
	To: Gideon Avida
	Cc: Ralph Weber; t10@t10.org
	Subject: RE: 256-bit vs 512-bit strength security
	Thanks Gideon, 
	I will also reiterate what I said in Colorado Springs, we cannot
support as mandatory, items that fall under the IP of companies that do
not make a RAND statement to T10 related to that IP. 
	Thanks, 
	Kevin D. Butt
	SCSI & Fibre Channel Architect, Tape Firmware
	MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
	Tel: 520-799-2869 / 520-799-5280
	Fax: 520-799-2723 (T/L:321)
	Email address: kdbutt@us.ibm.com
	http://www-03.ibm.com/servers/storage/ 
"Gideon Avida" <gideon@decru.com> 
09/13/2007 12:35 PM 
To
Kevin D Butt/Tucson/IBM@IBMUS 
cc
<t10@t10.org>, "Ralph Weber" <roweber@IEEE.org> 
Subject
RE: 256-bit vs 512-bit strength security	
	Hi Kevin (and everyone else...),
	As I said in Colorado Springs, this isn't about cryptography but
rather
	about policies.
	For example, CNSS Policy No. 15, Fact Sheet No. 1 - National
Policy on
	the Use of the Advanced Encryption Standard (AES) to Protect
National
	Security Systems and National Security Information
	(http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf) says:
	The design and strength of all key lengths of the AES algorithm
(i.e.,
	128, 192 and 256) are sufficient to protect classified
information up to
	the SECRET level. TOP SECRET information will require use of
either the
	192 or 256 key lengths.
	The NSA took it further in Suite B
	(http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) by
specifying the
	algorithms to use for encryption (AES), digital signatures and
key
	exchange (ECC based) and hashing (SHA). They also say there:
"NSA has
	determined that beyond the 1024-bit public key cryptography in
common
	use today, rather than increase key sizes beyond 1024-bits, a
switch to
	elliptic curve technology is warranted."
	We've found that many non-government customers refer to these
documents
	for guidance. We've also found that they prefer to not have to
classify
	their information and to simplify things would like to use
AES-256 to be
	on the safe side. They also like to use the same level security
	throughout the datacenter so they don't have to justify using
lower
	levels of security in some areas of the datacenter to the
auditors.
	Hope this helps the undecided crowd (and maybe convert a few
from the
	128 bit crowd...)
	Cheers,
	Gideon
	________________________________
	From: owner-t10@t10.org [mailto:owner-t10@t10.org] On Behalf Of
Kevin D
	Butt
	Sent: Thursday, September 13, 2007 11:20 AM
	To: Ralph Weber
	Cc: owner-t10@t10.org; 't10@t10.org'
	Subject: Re: 256-bit vs 512-bit strength security
	All, 
	I would like to share what Hugo Krawczyk, one of IBM's
cryptographers
	has shared with me. 
	<< 
	The 256-strength suite is total overkill. 
	There is no need to use AES with 256-bit key today or SHA-512. 
	Of course, the 128-bit suite may be broken next month (or in 5
years)
	but the same is possible 
	for the 256-bit suite. Actually, who said 500-bit EC will not
turn out
	to have only 128 bit of security in a 
	breakthrough cryptanalysis in 5-10 years (or next month)? 
	Given the information we have today, the 128-bit suite is good
enough
	for almost all commercial applications. 
	If you need security of your data for the next 50 years you may
consider
	going to a stronger suite, but then 
	(again) who said that the 256-bit will suffice? (for 50 year
security I
	recommend sending it inside a physical safe :) 
	The only reason I see now for going for a 256-bit suite is to
promote
	ECC. 
	That may or may not be a good idea, but it should be clear that
that's
	the only relevant reason for this suite. 
	Hugo 
	>> 
	Thanks, 
	Kevin D. Butt
	SCSI & Fibre Channel Architect, Tape Firmware
	MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
	Tel: 520-799-2869 / 520-799-5280
	Fax: 520-799-2723 (T/L:321)
	Email address: kdbutt@us.ibm.com
	http://www-03.ibm.com/servers/storage/ 
	Ralph Weber <roweber@IEEE.org> 
	Sent by: owner-t10@t10.org 
	09/12/2007 07:25 PM 
	To
		       "'t10@t10.org'" <t10@t10.org> 
	cc
	Subject
		       256-bit vs 512-bit strength security
	* From the T10 Reflector (t10@t10.org), posted by:
	* Ralph Weber <roweber@ieee.org>
	*
	Reminder:
	On Wednesday afternoon in Vancouver, you will be asked
	to vote your company's position on a choice between
	mandating 256-bit strength security or 512-bit strength
	security in SPC-4.
	If you do not yet know your company's position,
	now would be a good time to start asking some
	embarrassing questions.
	All the best,
	.Ralph
	*
	* For T10 Reflector information, send a message with
	* 'info t10' (no quotes) in the message body to
majordomo@t10.org