[3368] in cryptography@c2.net mail archive
Re: Key setup time a real issue for IPSEC? Or not?
daemon@ATHENA.MIT.EDU (Angelos D. Keromytis)
Thu Sep 24 16:30:43 1998
To: Ron Rivest <rivest@theory.lcs.mit.edu>
Cc: cryptography@c2.net
In-reply-to: Your message of "Thu, 24 Sep 1998 13:44:32 EDT."
<199809241744.NAA02344@swan>
Date: Thu, 24 Sep 1998 15:50:42 -0400
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
-----BEGIN PGP SIGNED MESSAGE-----
To: Ron Rivest <rivest@theory.lcs.mit.edu>
Subject: Re: Key setup time a real issue for IPSEC? Or not?
Cc: cryptography@c2.net
Date: 09/24/98, 15:50:41
In message <199809241744.NAA02344@swan>, Ron Rivest writes:
>
>John Kelsey says about the AES criteria:
> "There are some applications for which key agility is really
> important. IPSec is one example."
>
>I don't believe that key setup time is terribly important for IPSEC, or
>for most other applications. Of course, it *is* very important if you
>are doing brute-force key searches...
I'll second that; for one, one does not change encryption keys per
packet with IPsec. A key is typically used for quite a while (there
are various expiration timers/counters). If you are going to change
keys, your bottleneck will be the key management (IKE) which, even for
the simplest case, will cost one message roundtrip between the two
parties (for the sync message) and a few blocks of DES encryption, and
possibly much more than that (if you're going to do a complete D-H
exchange, and then perhaps do a full certificate authentication...)
There may be applications where extremely fast key setup is necessary,
but IPsec isn't it.
- -Angelos
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQEVAwUBNgqikXcrsxJuc7vBAQGjyQgAhobSerHHKJK8zWFpGAm836r/BpgDw9bl
VIpEcmWanKdgN1TSzWoPt7sp3PKzj2o7RNwSvkBj/3AMaBgqoLfkWrWDqrei4DGb
KS3q6cJlHoyStL6jJVc10ekwvlZVerXCZr5cV1iFW8qfT7CNkreetVk1rSc6aEJy
I89OJ8cqHstrnc/W2ttki+s/Tz5SeLpxjlWQtfoSzvt+Q9sugiV52N9544csislN
bDzbihJJnuDOJxhuRG5DjLAVqu2iudHeCqAwjb66LIBnl7hM1n81LDcVcBxqBrtf
dHx3Bqyb0AaRRNWhs9aEAHutig5QdhpUvWcx9M/VPsM15aGIYz5nzA==
=mXNg
-----END PGP SIGNATURE-----
