On Mar 10, 2014, at 12:05 PM, Stephen Kent <[email protected]> wrote:
> Paul
>> On Mar 8, 2014, at 8:08 AM, Black, David <[email protected]> wrote:
>>
>>>> The next draft changes AES-128-CBC to AES-CBC, and says:
>>>>
>>>> In the following sections, all AES modes are for 128-bit AES. 192-bit AES
>>>> MAY be supported for those modes, but the requirements here are for 128-bit
>>>> AES.
>>> What about 256-bit AES keys? They should also be a "MAY".
>> Why not “SHOULD” for 192 and 256 bit keys?
>>
>> paul
> It's good to remember the reason that 256-bits keys for AES were specified,
> i.e., as a hedge against someone building a quantum computer. So, unless the
> data being encrypted is expected to have a lifetime far enough into the future
> as to merit protection against that concern, the extra time needed to perform
> AES-256 vs. AES-128 does not seem justified.
>
> Steve
That’s a good argument for a user choosing to use AES-128 rather than AES-256.
But it doesn’t really address why “SHOULD implement” isn’t justified — the
implementation cost is trivial and if it isn’t used it has no performance
impact.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
