[saag] An aside on algorithms & modes

Fri Dec 21 17:02:02 EST 2007

	Part of my job involves travelling around and talking
with various users (ISPs, enterprises, academia, and others).
I spend a fair amount of time doing this on several continents
each year.

	In the course of my travels this decade I've been
hearing a pretty clear, and growing, trend from a wide range
of users that favours use of cryptographic algorithms & modes
that are acceptable to (US) NIST under the FIPS-140 rules.

	Prior to 2000, virtually all of the requests for use
of FIPS-140 compliant algorithms & modes came from the US
geographically, and specifically from either the US Government
or closely related organisations.

	This decade many global financial institutions (e.g. banks,
insurance firms, credit unions, and so forth) have said that their
commercial (re-)insurers are pressuring them to deploy only FIPS-140
compliant algorithms & modes.

	In a growing number of cases, there is even pressure from
insurers onto major commercial firms, particularly financial firms,
to use only equipment (including ordinary routers and switches,
not just "security appliances") that actually has obtained
a FIPS-140 approval for the cryptographic module inside.

	Further, a number of governments other than the US
government have declared that implementations using cryptographic
modules that have been approved under FIPS-140 are also acceptable
for deployment within their country or government or both.
The number of countries in this group appears to be growing,
and seems visibly larger now than 8 years ago.

	In turn, all of this creates clear user-demand pressures
on implementers (both for open source implementations and for
commercial products) to implement in a manner mindful of
the FIPS-140 requirements, including the basic step of using
algorithms and modes acceptable under FIPS-140.[1]

	So while I remain a believer in algorithm independent
protocol design, I also think that there are good solid user,
deployment, and business reasons why at least one algorithm/mode
combination supported in any new cryptographically-related protocol
would be a FIPS-140 compliant algorithm and mode.  This in no way
suggests that ought be the only implementation or deployment
option, merely that there ought to be a FIPS-compliant option
available that is openly specified.

	Also, personally, I don't have any opinion about any
particular algorithm or mode, not being a mathematician.
I do believe in listening to the users when they have inputs,
as many seem to have on this narrow topic.

Yours,

Ran Atkinson
rja at extremenetworks.com

[1] I was not involved in the IEEE 802.11i wireless security
efforts, but I note that it appears to be possible to implement
an interoperable subset of 802.11i in an entirely FIPS-140
compliant manner.  I doubt this is an accidental result from
the IEEE's 802.11i efforts.  Someone directly involved in the
IEEE's 802.11i work might be able to correct me on this guess.