The storage world seems to have done likewise - use 256-bit keys when 128-bits aren't enough; tape encryption is one source of examples.
Also see Section 7.3 of RFC 5282 (Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol) which also recommends 256-bit keys in preference to 192-bit keys. FWIW, Section 7.2 of the same RFC (which applies to both CCM and GCM) recommends 16-octet ICVs and recommends against 12-octet ICVs. Thanks, --David From: IPsec [mailto:[email protected]] On Behalf Of Yoav Nir Sent: Sunday, March 09, 2014 5:44 AM To: ipsec Subject: Re: [IPsec] AES key lengths: draft-ietf-ipsecme-esp-ah-reqts With vendor hat on: years ago we measured the performance and found that the performance of AES-256-CBC and AES-192-CBC were virtually identical. We removed AES-192-CBC from our UI because we didn't see a point to it - less security for no performance gain. I don't have any more recent measurements, but unless there is a good reason to prefer AES-192-CBC over AES-256-CBC, I'd rather it not be a SHOULD. On Sat, Mar 8, 2014 at 10:00 PM, <[email protected]<mailto:[email protected]>> wrote: On Mar 8, 2014, at 8:08 AM, Black, David <[email protected]<mailto:[email protected]>> wrote: >> The next draft changes AES-128-CBC to AES-CBC, and says: >> >> In the following sections, all AES modes are for 128-bit AES. 192-bit AES >> MAY be supported for those modes, but the requirements here are for 128-bit >> AES. > > What about 256-bit AES keys? They should also be a "MAY". Why not "SHOULD" for 192 and 256 bit keys? paul _______________________________________________ IPsec mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
