On Mon, 8 Aug 2016, Tero Kivinen wrote:
Also this is something we might want to add to the rfc4307bis provided
we can agree on the text before it goes forward. I.e. I do not think
the RFC4307bis should wait for the text, as we can add it the QR
document also, but if we can agree on that now, then we can add this
kind of warning to rfc4307bis too. That text could be something like
this:
Quantum computers might able to perform Grover's algorithm; that
effectively halves the size of a symmetric key. Because of this, to
provide 128-bit security even when we have quantum computers, the
symmetric algorithm keys needs to have least 256 bits of entropy.
Actually, this is a very good reason to bumo the keysizes from 128 to
256. Currently in 7321bis and 4307bis, 128 is MUST and 256 is SHOULD. I
have asked before if we should make 256 MUST and 128 MUST-.
Current text has:
[1] - This requirement level is for 128-bit keys. 256-bit keys are at
SHOULD. 192-bit keys can safely be ignored. [IoT] - This
requirement is for interoperability with IoT.
IPsec sessions may have very long life time, and carry multiple
packets, so there is a need to move 256-bit keys in the long term.
For that purpose requirement level is for 128 bit keys and 256 bit
keys are at SHOULD (when applicable). In that sense 256 bit keys
status has been raised from MAY in RFC7321 to SHOULD.
Is there anyone who disagrees with making 128 MUST- and 256 MUST ?
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
