Commenting on Commenting
If you look hard enough these days, you can still find reasonable -- and even valuable -- feedback provided by reasonable -- even intelligent -- people. Where? How about the National Institute of Standards and Technology . That's right -- NIST, the non-regulatory federal agency within the U.S. Department of Commerce that promotes innovation by setting measurements for science, standards, and technology. But NIST doesn't do this in a vacuum. Rather, the agency relies on public comment by (hopefully) citizen experts. And for the most part, this makes for some fascinating reading.To illustrate: NIST recently posted a discussion paper entitled The Transitioning of Cryptographic Algorithms and Key Sizes and requested comments on it. While only half a dozen individuals submitted comments, they were all polite, reasonable, and intelligent -- about as far removed from talk radio as you can get, in other words.For instance, Hugo Krawczyk started by asking for clarification: "I am reading the document and was wondering what distinguishes 'data authentication' from 'entity authentication.'" Hugo goes on to suggest that "a clue to what you mean by differentiating between the two cases seems to be the following text in page 5: 'signature verification for entity authentication is performed immediately after signature generation; therefore. there is no requirement to retain a signature for later verification.'" I had to go back and re-read page 5.Steve Ratcliffe seems to be the kind of editor I ought to be at times: "Page 1, line 6, 'algorithm breaks': Is this actual breaks or academic breaks. I am not aware of any actual breaks so it might be safer to say academic, this way no one gets the impression that any algorithm has actually been broken."For his part, Stan Kladko pointed out what wasn't there: "The document does discuss IKE but does not discuss IPSec. IPSec uses truncated HMAC-SHA-1, which is only 96 bits long. This means that for long-lived IPSec connections, there will be two messages with the same HMAC after approximately 2^48
IPSEC messages are transmitted. If IPSEC is used to secure a terabit optical link, sending 2^48 messages is actually feasible. The fate of IPSEC and specifically the truncated HMAC-SHA-1 needs to be discussed."Likewise, Paul Hoffman noted that "although two-key Triple DES is discussed in FIPS 140 and SP 800-56A, it is almost never seen in deployed products. For example, I see no certificates in
that list twokey Triple DES."Ian Simmons is my kind of editor. After asking a series of questions along the line of "what is the position for digital signatures for data authentication with Triple-DES MAC (from the IG rather than FIPS 186-3)?" he pointed out that on 'Page 1, paragraph 5 there's the "superfluous word 'can' at end." I like any use of the word "superfluous," superfluous or not.Finally, Arjen K. Lenstra topped them all by simply submitting an 18-page paper entitled "On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography" that he cowrote.Oh well, I can see the "letters to the editor" coming.