- From: Aram Perez <aperez@wavesys.com>
- Date: Tue, 21 Nov 2000 10:31:47 -0800
- To: jimsch@nwlink.com
- cc: "'Xml-Encryption \(E-mail\)" <xml-encryption@w3.org>
Aram Perez@WAVE_DOMAIN 11/21/2000 01:31 PM Hi Jim, My comments below (preceded by "**#**")... If I've snipped a section it's because I agree with you. "Jim Schaad" <jimsch@nwlink.com> on 11/15/2000 12:31:49 AM Please respond to jimsch@nwlink.com To: "'Xml-Encryption \(E-mail\)" <xml-encryption@w3.org> cc: (bcc: Aram Perez/WAVE/US) Subject: Algorithm Selections As promised at the XML Encryption workshop, here is a description of the different types of algorithms along with what I would recommend for the different levels of support. Let the discussion begin: [snip] Block Encryption Algorithms: TripleDES - This is the current U.S. government standard algorithm. In almost all instances the algorithm is run using 3 DES keys used in EDE (encryption, decryption, encryption) sequence. Unless you are only encrypting one block of data it almost always uses CBC chaining mode with PKCS#5 padding. AES - This is the proposed U.S. government standard algorithm based on the Rijndael submission. Used as the AES algorithm it is fixed to a 128-bit block size but still uses 128, 192 and 256-bit keys. As with TripleDES the most common mode is CBC chaining with PKCS#5 padding. Recomendation: AES is MUST in the same key lengths as CMS adopts. AES in other key lengths and TripleDES are MAY. **#** My concern is whether we expect to publish our specification before AES becomes an official standard. Is there anyway of specifying something like "TripleDES is a MUST until AES is official. When AES is official, then AES is a MUST and TripleDES is a MAY." [snip] Key Transport Algorithms: RSA-v1.5 - This is the standard RSA algorithm used in CMS today. It has the benifit of being widely used and the downside that there is a known attack againist it. RSA-OEAP - This is the revised RSA algorithm for doing key transport (**#** I was not aware that OAEP was limited to just key transport.). The same RSA public/private key pair can be used for both RSA-v1.5 and RSA-OEAP so there is no need to choose just one of these variants. Recommendation: RSA-OEAP should be used with AES. RSA-v1.5 should be used with TripleDES. **#** Shouldn't you also use RSA-OEAP with TripleDES? [snip] Symmetric Key Wrap Algorithms: The S/MIME working group has two different key wrap algorithms specified. CMS-KeyWrap is used for wrapping Triple-DES and RC2 keys. The algorithm is simple and has been implemented by several different groups of people. This is the algorithm that is used for S/MIME ES-DH key agreement key wraping. S/MIME-Password is an alternate that has been proposed for use when encrypting a Triple-DES or RC2 key when the wrapping key is derived from a password. There is currently no consensus in the working group that this should be come a standard wrapping algorithm. AES key wrap has been requested from the NSA by the S/MIME working group. It is currently expected that we will recieve this by March 2001. In the event that we don't get one in the working group we would most likely adapt the CMS-KeyWrap algorithm for AES purposes. Recommondation.: Make the AES keywrap from the NSA be the manditory when it appears. **#** I would also add a recommendation that "weaker" keys not wrap "stronger" keys, i.e., don't wrap a TripleDES key with a 64 bit RC2 key. **#** That's it for now, Aram Perez
Received on Tuesday, 21 November 2000 13:25:37 UTC