Algorithm Choice in PKCS#11 (part 4) - Block Ciphers

Graham Steel
September 18, 2014

Following on from our popular review of RSAmechanisms and hash functions, this post reviews the block ciphers and modes available in PKCS#11 v2.20 and the state of the art in their cryptanalysis. We'll also look at what's changing in version 2.40.The first version of PKCS#11 came out in 1995, and since then no mechanisms have been removed, though this will change when version 2.40 comes out. Reading the mechanism list for block ciphers is therefore something of an exercise in cryptographic archaeology.

In the table below, we list all the mechanisms and identify those that have been retained for version 2.40 as current mechanisms (C) and historic mechanisms (H).We also give an indication of the current state of the art of public cryptanalysis of the cipher by giving a recommendation as to whether the cipher is suitable for use to support legacy applications or for new applications. As usual we draw on on the 2013 ENISA Algorithms, Key Sizes and Parameters Report, though only six block ciphers are covered there, one of which (Kasumi) is not in PKCS#11. Explanatory notes on the recommendations appear below the table: essentially, for ciphers that are not covered in the report, we follow the ENISA recommendations on key size and block size, and examine the best publicly known cryptanalysis results.

Cipher v2.20 v2.40 ok legacy ok future
RC2H××
DESH××
DES32 or 3 key)C×
CDMFH××
CASTH××
CAST3H××
CAST5H××
CAST 128H××
RC5H××
IDEAH××
SKIPJACKH××
BATONH××
JUNIPERH××
AESC
BLOWFISH (80+ bit keylength)C×
TWOFISHC
CAMELLIA×C
ARIA×C
SEED×C
GOST 28147-89×C×

Historic Ciphers: RC2, CAST, SKIPJACK, BATON, DES, IDEA,...

All the ciphers that have been moved to the "historic" category of PKCS#11 v2.40 are no longer suitable for use, even for legacy applications. They include ciphers with short block sizes, short (or short default) key sizes, known cryptanalytic weaknesses such as related-key attacks or just an absence of good public cryptanalysis thanks to their obscurity that dates from the export-control period of cryptographic history.

Triple-DES (DES3)

We give the ENISA recommendation. The short blocksize precludes recommendation for future applications.

Blowfish

Recommendations taken from the ENISA report. Note the requirement to use at least 80 bit keys. The recommendation to only use Blowfish for legacy applications is based on the short (64 bit) block size.

AES

AES is described by the ENISA report as the blockcipher of choice for future applications. Some vectors of attack have been proposed based on the algebraic structure of the cipher but none of these are thought to indicate practical attacks.

Twofish

Twofish was an unchosen finalist for the AES competition and so received a fair amount of cryptanalytic attention in the late 90's. No significant weaknesses have been found, and since key sizes and block sizes are at least 128 bits it is suitable for ongoing use. It is available in OpenPGP.

CAMELLIA

Recommendations taken from the ENISA report. Available in TLS.

SEED

SEED is a blockcipher designed by the Korean national security agency in 1998. It has a 128 bit block size and 128 bit key size. There are some cryptanalytic results on SEED but currently nothing close to a practical attack.

ARIA

ARIA is a block cipher similar to AES. There are some public cryptanalytic results but so far no practical attacks.

GOST 28147-89

GOST 28147-89 has a 64-bit blocksize and a 256-bit keysize. There are no publicly known practical attacks, even though a number of papers have cited weaknesses.

Plug

Download our PKCS#11 white paper for more information.