Paul Hoffman writes: > On 5 Aug 2016, at 8:23, Yaron Sheffer wrote: > > > The trick to that is to add a new column to the IANA table > > https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5 > > That's the first of two tricks: the second is getting agreement about > the rules for the values in that column. It seems like there is still > disagreement in the crypto community about how susceptible different > algorithms and modes are to quantum.
As an IANA expert, I am not that happy adding yet another column to that table. The ESP/IKEv2 reference columns already seem to make enough confusion for people :-) Also I think it is bad idea to list which ciphers are quantum computing safe, as I have no idea whether RC5 or Blowfish are really in that category, even when they do have long keys... It might be better to list ciphers which we consider not to be safe, i.e., explictly note that PRF_AES128_XCBC and PRF_AES128_CMAC are using 128-bit keys so they might be vulnerable. (Btw it is PRF_AES128_CMAC, not PRF_AES_CBC). Also this is something we might want to add to the rfc4307bis provided we can agree on the text before it goes forward. I.e. I do not think the RFC4307bis should wait for the text, as we can add it the QR document also, but if we can agree on that now, then we can add this kind of warning to rfc4307bis too. That text could be something like this: Quantum computers might able to perform Grover's algorithm; that effectively halves the size of a symmetric key. Because of this, to provide 128-bit security even when we have quantum computers, the symmetric algorithm keys needs to have least 256 bits of entropy. Btw, both PRF_AES128_XCBC and PRF_AES128_CMAC do use 128-bit keys always, they cannot use longer keys, so the text saying "even though they can use larger keys" is wrong, as those versions cannot use longer keys. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
