Comment on 128-bit vs. 256-bit

Black_David at emc.com Black_David at emc.com
Thu Sep 13 13:41:40 PDT 2007


* From the T10 Reflector (t10 at t10.org), posted by:
* Black_David at emc.com
*
I asked some RSA colleagues to look at the 128-bit and 256-bit
suites.  They noted that the P-521 elliptic curve (521 bits)
may be excessive for the 256-bit suite.  For example, the
largest elliptic curve required by NSA suite B is the 384 bit
curve:
http://www.nsa.gov/ia/industry/crypto_suite_b.cfm
Thanks,
--David
> -----Original Message-----
> From: owner-t10 at t10.org [mailto:owner-t10 at t10.org] On Behalf 
> Of Gideon Avida
> Sent: Thursday, September 13, 2007 3:36 PM
> To: Kevin D Butt
> Cc: t10 at t10.org; Ralph Weber
> Subject: RE: 256-bit vs 512-bit strength security
> 
> * From the T10 Reflector (t10 at t10.org), posted by:
> * "Gideon Avida" <gideon at decru.com>
> *
> Hi Kevin (and everyone else...),
>  
> As I said in Colorado Springs, this isn't about cryptography but
rather
> about policies.
> 
> For example, CNSS Policy No. 15, Fact Sheet No. 1 - National Policy on
> the Use of the Advanced Encryption Standard (AES) to Protect National
> Security Systems and National Security Information
> (http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf) says:
> The design and strength of all key lengths of the AES algorithm (i.e.,
> 128, 192 and 256) are sufficient to protect classified information up
to
> the SECRET level. TOP SECRET information will require use of either
the
> 192 or 256 key lengths.
> 
> The NSA took it further in Suite B
> (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) by specifying the
> algorithms to use for encryption (AES), digital signatures and key
> exchange (ECC based) and hashing (SHA). They also say there: "NSA has
> determined that beyond the 1024-bit public key cryptography in common
> use today, rather than increase key sizes beyond 1024-bits, a switch
to
> elliptic curve technology is warranted."
> 
> We've found that many non-government customers refer to these
documents
> for guidance. We've also found that they prefer to not have to
classify
> their information and to simplify things would like to use AES-256 to
be
> on the safe side. They also like to use the same level security
> throughout the datacenter so they don't have to justify using lower
> levels of security in some areas of the datacenter to the auditors.
> 
> Hope this helps the undecided crowd (and maybe convert a few from the
> 128 bit crowd...)
> 
> Cheers,
> Gideon
> ________________________________
> 
> From: owner-t10 at t10.org [mailto:owner-t10 at t10.org] On Behalf 
> Of Kevin D
> Butt
> Sent: Thursday, September 13, 2007 11:20 AM
> To: Ralph Weber
> Cc: owner-t10 at t10.org; 't10 at t10.org'
> Subject: Re: 256-bit vs 512-bit strength security
> 
> 
> 
> All, 
> 
> I would like to share what Hugo Krawczyk, one of IBM's cryptographers
> has shared with me. 
> << 
> The 256-strength suite is total overkill. 
> There is no need to use AES with 256-bit key today or SHA-512. 
> Of course, the 128-bit suite may be broken next month (or in 5 years)
> but the same is possible for the 256-bit suite. Actually, who said
> 500-bit EC will not turn out to have only 128 bit of security in a 
> breakthrough cryptanalysis in 5-10 years (or next month)? 
> 
> Given the information we have today, the 128-bit suite is good enough
> for almost all commercial applications.  If you need security of your
> data for the next 50 years you may consider going to a stronger suite,
> but then  (again) who said that the 256-bit will suffice? (for 50 year
> security I recommend sending it inside a physical safe :) 
> 
> The only reason I see now for going for a 256-bit suite is to promote
ECC. 
> That may or may not be a good idea, but it should be clear that that's
> the only relevant reason for this suite. 
> 
> Hugo 
> >> 
> 
> Thanks, 
> 
> Kevin D. Butt
> SCSI & Fibre Channel Architect, Tape Firmware
> MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
> Tel: 520-799-2869 / 520-799-5280
> Fax: 520-799-2723 (T/L:321)
> Email address: kdbutt at us.ibm.com
> http://www-03.ibm.com/servers/storage/ 
> 
> 
> 
> Ralph Weber <roweber at IEEE.org> 
> Sent by: owner-t10 at t10.org 
> 
> 09/12/2007 07:25 PM 
> 
>	
> To
>	"'t10 at t10.org'" <t10 at t10.org> 
> cc
>	
> Subject
>	256-bit vs 512-bit strength security
> 
>	
> 
> 
> 
> 
> * From the T10 Reflector (t10 at t10.org), posted by:
> * Ralph Weber <roweber at ieee.org>
> *
> Reminder:
> 
> On Wednesday afternoon in Vancouver, you will be asked
> to vote your company's position on a choice between
> mandating 256-bit strength security or 512-bit strength
> security in SPC-4.
> 
> If you do not yet know your company's position,
> now would be a good time to start asking some
> embarrassing questions.
> 
> All the best,
> 
> .Ralph
*
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at t10.org



More information about the T10 mailing list