On 9 Aug 2016, at 5:44, Scott Fluhrer (sfluhrer) wrote:
-----Original Message-----
From: Tero Kivinen [mailto:[email protected]]
Sent: Monday, August 08, 2016 9:15 AM
To: Paul Hoffman
Cc: Yaron Sheffer; [email protected]; Scott Fluhrer (sfluhrer)
Subject: Re: [IPsec] I-D Action: draft-fluhrer-qr-ikev2-02.txt
Paul Hoffman writes:
On 5 Aug 2016, at 8:23, Yaron Sheffer wrote:
The trick to that is to add a new column to the IANA table
https://www.iana.org/assignments/ikev2-parameters/ikev2-
parameters.x
html#ikev2-parameters-5
That's the first of two tricks: the second is getting agreement
about
the rules for the values in that column. It seems like there is
still
disagreement in the crypto community about how susceptible different
algorithms and modes are to quantum.
As an IANA expert, I am not that happy adding yet another column to
that
table. The ESP/IKEv2 reference columns already seem to make enough
confusion for people :-)
On the other hand, we need to give people some guidance somehow...
Do we? Who is "we"? Why is "our" guidance any better than what they get
from their own experts, particularly if "our" guidance gets ossified in
an IANA registry or RFCs that are updated slowly?
Also I think it is bad idea to list which ciphers are quantum
computing safe, as
I have no idea whether RC5 or Blowfish are really in that category,
even
when they do have long keys...
There's no known Quantum attack against either (assuming long keys),
and so they're in the same category as AES-256.
That would be better stated as "There's currently no known..."
It might be better to list ciphers which we consider not to be safe,
i.e.,
explictly note that PRF_AES128_XCBC and PRF_AES128_CMAC are using
128-
bit keys so they might be vulnerable. (Btw it is PRF_AES128_CMAC, not
PRF_AES_CBC).
That makes a lot of sense; ultimately, we don't really know which ones
are strong against Quantum Computers (then again, we really don't know
which ones are strong against conventional computers using
undiscovered attacks :-); we do know some are likely weak.
Exactly.
--Paul Hoffman
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
