256-bit vs 512-bit strength security

Larry.Hofer at emulex.com Larry.Hofer at emulex.com
Fri Sep 14 09:14:11 PDT 2007


Formatted message: <A HREF="r0709140_f.htm">HTML-formatted message</A>
Attachment #1: <A HREF="r0709140_table2_comparable_strengths_800-57.pdf">table2_comparable_strengths_800-57.pdf</A>

I prefer to have the standard mandate unencumbered methods when they are
reasonable alternatives readily available. It appears to me that more
implementations could be compliant by mandating the 128 bit strength.  A
note could be added to capture concerns for more stringent requirements
in some environments. It is unfortunate that the vote is going to drag
into the debate not only the strengths, but also the algorithms.
In 800-57, it specs (for unclassified applications):
min. 80 bits until year 2010
min. 112 bits until year 2011 to 2030
min. 128 bits thereafter
Also, it appears that in 06-449r8 there could be an error in the 128 bit
column. It seems to match the 800-57 documents' 112 bit column more
closely. The attached doc shows the equivalent strengths for various
algorithms from SP 800-57. I believe 3072 is required for DH/RSA 128 bit
equivalency, correct?
Regards,
Larry Hofer
Office of Technology, Emulex
  _____  
From: owner-t10 at t10.org [mailto:owner-t10 at t10.org] On Behalf Of Kevin D
Butt
Sent: Thursday, September 13, 2007 6:40 PM
To: Gideon Avida
Cc: owner-t10 at t10.org; Ralph Weber; t10 at t10.org
Subject: RE: 256-bit vs 512-bit strength security
Gideon, 
Your link below supports the argument about IP. 
Quoted from the article: 
"Despite the many advantages of elliptic curves and despite the adoption
of elliptic curves by many users, many vendors and academics view the
intellectual property environment surrounding elliptic curves as a major
roadblock to their implementation and use. " 
A close reading on this section about IP will show that unless you are
"limited to implementations that were for national security uses " then
you must license at least 26 of the patents held by the referenced
company. 
Without a Reasonable and Non-Descriminatory statement from those that
hold the IP, then all would be held to getting licenses from a company -
potentially your competitor - under terms that do not meet RAND.  In
fact, there is no guarantee that you could even license that IP. 
The other point to argue, the statement "We've found that many
non-government customers refer to these documents
for guidance" is the assertion of what your customers may be stating.  I
don't know if the customers to whom you are referring is isolated to
your customers only or to customers of a few companies.  However, I do
know that I have not heard any of our customers making this statement.
Just because one companies or a few companies need to support something
for their customers should not require that all other companies should
be forced to support that to be compliant with the standards.  This is
why there are optional values allowed.	We mandate what can be supported
by all companies and make the rest optional.  In this case, there is the
IP issue that is a road block to some companies and there is also a lack
of need by either those same companies or a different set of companies.
They meet  their needs by using the 128 bit strength algorithms. 
Thanks, 
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt at us.ibm.com
http://www-03.ibm.com/servers/storage/ 
"Gideon Avida" <gideon at decru.com> 
Sent by: owner-t10 at t10.org 
09/13/2007 01:03 PM 
To
Kevin D Butt/Tucson/IBM at IBMUS 
cc
"Ralph Weber" <roweber at IEEE.org>, <t10 at t10.org> 
Subject
RE: 256-bit vs 512-bit strength security
Hi Kevin, 
Since I'm not sure how navigate this minefield, I'll just point to
another NSA document: 
http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm
<http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm&gt;  
Thanks, 
Gideon 
  _____  
From: Kevin D Butt [mailto:kdbutt at us.ibm.com] 
Sent: Thursday, September 13, 2007 12:58 PM
To: Gideon Avida
Cc: Ralph Weber; t10 at t10.org
Subject: RE: 256-bit vs 512-bit strength security
Thanks Gideon, 
I will also reiterate what I said in Colorado Springs, we cannot support
as mandatory, items that fall under the IP of companies that do not make
a RAND statement to T10 related to that IP. 
Thanks, 
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt at us.ibm.com
http://www-03.ibm.com/servers/storage/ 
"Gideon Avida" <gideon at decru.com> 
09/13/2007 12:35 PM 
To
Kevin D Butt/Tucson/IBM at IBMUS 
cc
<t10 at t10.org>, "Ralph Weber" <roweber at IEEE.org> 
Subject
RE: 256-bit vs 512-bit strength security
Hi Kevin (and everyone else...),
As I said in Colorado Springs, this isn't about cryptography but rather
about policies.
For example, CNSS Policy No. 15, Fact Sheet No. 1 - National Policy on
the Use of the Advanced Encryption Standard (AES) to Protect National
Security Systems and National Security Information
(http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf) says:
The design and strength of all key lengths of the AES algorithm (i.e.,
128, 192 and 256) are sufficient to protect classified information up to
the SECRET level. TOP SECRET information will require use of either the
192 or 256 key lengths.
The NSA took it further in Suite B
(http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) by specifying the
algorithms to use for encryption (AES), digital signatures and key
exchange (ECC based) and hashing (SHA). They also say there: "NSA has
determined that beyond the 1024-bit public key cryptography in common
use today, rather than increase key sizes beyond 1024-bits, a switch to
elliptic curve technology is warranted."
We've found that many non-government customers refer to these documents
for guidance. We've also found that they prefer to not have to classify
their information and to simplify things would like to use AES-256 to be
on the safe side. They also like to use the same level security
throughout the datacenter so they don't have to justify using lower
levels of security in some areas of the datacenter to the auditors.
Hope this helps the undecided crowd (and maybe convert a few from the
128 bit crowd...)
Cheers,
Gideon
________________________________
From: owner-t10 at t10.org [mailto:owner-t10 at t10.org] On Behalf Of Kevin D
Butt
Sent: Thursday, September 13, 2007 11:20 AM
To: Ralph Weber
Cc: owner-t10 at t10.org; 't10 at t10.org'
Subject: Re: 256-bit vs 512-bit strength security
All, 
I would like to share what Hugo Krawczyk, one of IBM's cryptographers
has shared with me. 
<< 
The 256-strength suite is total overkill. 
There is no need to use AES with 256-bit key today or SHA-512. 
Of course, the 128-bit suite may be broken next month (or in 5 years)
but the same is possible 
for the 256-bit suite. Actually, who said 500-bit EC will not turn out
to have only 128 bit of security in a 
breakthrough cryptanalysis in 5-10 years (or next month)? 
Given the information we have today, the 128-bit suite is good enough
for almost all commercial applications. 
If you need security of your data for the next 50 years you may consider
going to a stronger suite, but then 
(again) who said that the 256-bit will suffice? (for 50 year security I
recommend sending it inside a physical safe :) 
The only reason I see now for going for a 256-bit suite is to promote
ECC. 
That may or may not be a good idea, but it should be clear that that's
the only relevant reason for this suite. 
Hugo 
>> 
Thanks, 
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt at us.ibm.com
http://www-03.ibm.com/servers/storage/ 
Ralph Weber <roweber at IEEE.org> 
Sent by: owner-t10 at t10.org 
09/12/2007 07:25 PM 
To
	       "'t10 at t10.org'" <t10 at t10.org> 
cc
Subject
	       256-bit vs 512-bit strength security
* From the T10 Reflector (t10 at t10.org), posted by:
* Ralph Weber <roweber at ieee.org>
*
Reminder:
On Wednesday afternoon in Vancouver, you will be asked
to vote your company's position on a choice between
mandating 256-bit strength security or 512-bit strength
security in SPC-4.
If you do not yet know your company's position,
now would be a good time to start asking some
embarrassing questions.
All the best,
.Ralph
*
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at t10.org



More information about the T10 mailing list