W3C home > Mailing lists > Public > xml-encryption@w3.org > November 2000

Re: Algorithm Selections

From: Aram Perez <aperez@wavesys.com>
Date: Tue, 21 Nov 2000 10:31:47 -0800
To: jimsch@nwlink.com
cc: "'Xml-Encryption \(E-mail\)" <xml-encryption@w3.org>
Message-ID: <8525699E.00657F2F.00@mail2.wavesys.com>


Aram Perez@WAVE_DOMAIN
11/21/2000 01:31 PM
Hi Jim,

My comments below (preceded by "**#**")... If I've snipped a section it's
because I agree with you.





"Jim Schaad" <jimsch@nwlink.com> on 11/15/2000 12:31:49 AM

Please respond to jimsch@nwlink.com

To:   "'Xml-Encryption \(E-mail\)" <xml-encryption@w3.org>
cc:    (bcc: Aram Perez/WAVE/US)

Subject:  Algorithm Selections




As promised at the XML Encryption workshop, here is a description of the
different types of algorithms along with what I would recommend for the
different levels of support.  Let the discussion begin:

[snip]

Block Encryption Algorithms:

TripleDES - This is the current U.S. government standard algorithm.  In
almost all instances the algorithm is run using 3 DES keys used in EDE
(encryption, decryption, encryption) sequence.  Unless you are only
encrypting one block of data it almost always uses CBC chaining mode with
PKCS#5 padding.

AES - This is the proposed U.S. government standard algorithm based on the
Rijndael submission.  Used as the AES algorithm it is fixed to a 128-bit
block size but still uses 128, 192 and 256-bit keys.  As with TripleDES the
most common mode is CBC chaining with PKCS#5 padding.

Recomendation:  AES is MUST in the same key lengths as CMS adopts.  AES in
other key lengths and TripleDES are MAY. **#** My concern is whether we expect
to publish our specification before AES becomes an official standard. Is there
anyway of specifying something like "TripleDES is a MUST until AES is official.
When AES is official, then AES is a MUST and TripleDES is a MAY."

[snip]

Key Transport Algorithms:

RSA-v1.5 - This is the standard RSA algorithm used in CMS today.  It has the
benifit of being widely used and the downside that there is a known attack
againist it.

RSA-OEAP - This is the revised RSA algorithm for doing key transport (**#** I
was not aware that OAEP was limited to just key transport.).  The same RSA
public/private key pair can be used for both RSA-v1.5 and RSA-OEAP so there is
no need to choose just one of these variants.

Recommendation:  RSA-OEAP should be used with AES.  RSA-v1.5 should be used
with TripleDES. **#** Shouldn't you also use RSA-OEAP with TripleDES?

[snip]

Symmetric Key Wrap Algorithms:

The S/MIME working group has two different key wrap algorithms specified.

CMS-KeyWrap is used for wrapping Triple-DES and RC2 keys.  The algorithm is
simple and has been implemented by several different groups of people.  This
is the algorithm that is used for S/MIME ES-DH key agreement key wraping.

S/MIME-Password is an alternate that has been proposed for use when
encrypting a Triple-DES or RC2 key when the wrapping key is derived from a
password.  There is currently no consensus in the working group that this
should be come a standard wrapping algorithm.

AES key wrap has been requested from the NSA by the S/MIME working group.
It is currently expected that we will recieve this by March 2001.  In the
event that we don't get one in the working group we would most likely adapt
the CMS-KeyWrap algorithm for AES purposes.

Recommondation.:  Make the AES keywrap from the NSA be the manditory when it
appears. **#** I would also add a recommendation that "weaker" keys not wrap
"stronger" keys, i.e., don't wrap a TripleDES key with a 64 bit RC2 key.


**#** That's it for now,

Aram Perez
Received on Tuesday, 21 November 2000 13:25:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:18 GMT