Dang, Quynh (Fed) writes: > 80 bits of security strength is the bigiest number that I have seen > from the cryptographic community for estimating the strength of 1k > DH.
That might be so, but there is still quite a lot of different estimates for the equivalent strengts between symmetric and asymmetric keys. Saying that anything below 80 bits security strength is weak does not mean anything unless we also defined what is the security strength for each algorithm, and we do not want to do it here. Also that statement would not cover group 5 which is considered having more strength than group 2, but how much is open to debate. We already say that: Group 2 or 1024-bit MODP Group has been downgraded from MUST- in RFC4307 to SHOULD NOT. It is known to be weak against sufficiently funded attackers using commercially available mass-computing resources, so its security margin is considered too narrow. It is expected in the near future to be downgraded to MUST NOT. If the reader still wants to use it, he needs to have good reasons why and he then himself takes that risk of using it. For group 5 we say: Group 5 or 1536-bit MODP Group has been downgraded from MAY in RFC4307 to SHOULD NOT. It was specified earlier, but is now considered to be vulnerable to be broken within the next few years by a nation state level attack, so its security margin is considered too narrow. I still think both of those comments are accurate, and suitable for this document. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
