Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼

Jonathan Erickson

Dr. Dobb's Bloggers

Commenting on Commenting

August 25, 2009

If you look hard enough these days, you can still find reasonable -- and even valuable -- feedback provided by reasonable -- even intelligent -- people. Where? How about the National Institute of Standards and Technology . That's right -- NIST, the non-regulatory federal agency within the U.S. Department of Commerce that promotes innovation by setting measurements for science, standards, and technology. But NIST doesn't do this in a vacuum. Rather, the agency relies on public comment by (hopefully) citizen experts. And for the most part, this makes for some fascinating reading.To illustrate: NIST recently posted a discussion paper entitled The Transitioning of Cryptographic Algorithms and Key Sizes and requested comments on it. While only half a dozen individuals submitted comments, they were all polite, reasonable, and intelligent -- about as far removed from talk radio as you can get, in other words.For instance, Hugo Krawczyk started by asking for clarification: "I am reading the document and was wondering what distinguishes 'data authentication' from 'entity authentication.'" Hugo goes on to suggest that "a clue to what you mean by differentiating between the two cases seems to be the following text in page 5: 'signature verification for entity authentication is performed immediately after signature generation; therefore. there is no requirement to retain a signature for later verification.'" I had to go back and re-read page 5.Steve Ratcliffe seems to be the kind of editor I ought to be at times: "Page 1, line 6, 'algorithm breaks': Is this actual breaks or academic breaks. I am not aware of any actual breaks so it might be safer to say academic, this way no one gets the impression that any algorithm has actually been broken."For his part, Stan Kladko pointed out what wasn't there: "The document does discuss IKE but does not discuss IPSec. IPSec uses truncated HMAC-SHA-1, which is only 96 bits long. This means that for long-lived IPSec connections, there will be two messages with the same HMAC after approximately 2^48
IPSEC messages are transmitted. If IPSEC is used to secure a terabit optical link, sending 2^48 messages is actually feasible. The fate of IPSEC and specifically the truncated HMAC-SHA-1 needs to be discussed."Likewise, Paul Hoffman noted that "although two-key Triple DES is discussed in FIPS 140 and SP 800-56A, it is almost never seen in deployed products. For example, I see no certificates in
that list twokey Triple DES."Ian Simmons is my kind of editor. After asking a series of questions along the line of "what is the position for digital signatures for data authentication with Triple-DES MAC (from the IG rather than FIPS 186-3)?" he pointed out that on 'Page 1, paragraph 5 there's the "superfluous word 'can' at end." I like any use of the word "superfluous," superfluous or not.Finally, Arjen K. Lenstra topped them all by simply submitting an 18-page paper entitled "On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography" that he cowrote.Oh well, I can see the "letters to the editor" coming.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.