RE: Early Draft Algorithms Section from Amir Herzberg on 2001-05-20 (xml-encryption@w3.org from May 2001)

From: Amir Herzberg <AMIR@newgenpay.com>
Date: Sun, 20 May 2001 09:49:11 +0300
To: Public XML Encryption List <xml-encryption@w3.org>
Message-ID: <078EE8822DCFD411AAA1000629D56ADC0B7BA0@IMP01>

Don said, 

&& I guess we have different assessments of these things.  I do not believe
there
&& is any fielded system in which 3DES would be the weakest link and I do
not
&& think that situation will change in the next decade or more.  Given the
&& nature of the AES selection process, I do not believe that AES will be
&& be broken by more than a few orders of magnitude in effort in the next
&& ten years.  But maybe I'll be proved wrong.

I mostly agree with Don (except, I think it is concievable that AES will be
broken, just not likely, so I think a slightly weaker statement but to the
same effect is better). 

I think the advantages of interoperability and support for weak devices far
outweigh the danger of AES, or even 3DES, breaking down soon. If and when
that happens, there is no problem with using another cipher even if not
declared mandatory, and even by mandating it for a new release of the spec. 

I believe in modularity of standardization. In particular I think it's a bad
idea for a WG like this one, dealing mostly with protocol design issues, to
try to `fix` an encryption algorithm, unless of course it is recognized as
broken. And this is not the case with AES (and I think even not with 3DES,
but this is not important as we require AES anyway).

&& Given the WG consensus so far that 3DES and AES should be mandatory to
&& implement and a desire to avoid code bloat, what would you think about
&& defining an algorithm that compounded DES and AES?

Bad idea. One of the main goals in AES, rather than just using 3DES, is not
security (as I said, 3DES may be OK from that prespective for some time),
but rather preformance. I wouldn't object, in fact, to make only AES
mandatory, except it is not yet widely available (which means that in the
near future I expect there may be some `partially conformant implementations
which will not yet do AES so better require also 3DES - in the future I hope
we can get rid of 3DES...). 

Best regards, 
Amir Herzberg
CTO, NewGenPay Inc.  

See demo and lectures/overviews/tutorials on crypto-security for mobile,
e-commerce, etc. in http://www.newgenpay.com/mpay/course/course.html

Received on Sunday, 20 May 2001 02:45:41 UTC