Following on from our popular review of RSA mechanisms and hash functions, this post reviews the block ciphers and modes available in PKCS#11 v2.20 and the state of the art in their cryptanalysis. We’ll also look at what’s changing in version 2.40.
The first version of PKCS#11 came out in 1995, and since then no mechanisms have been removed, though this will change when version 2.40 comes out. Reading the mechanism list for block ciphers is therefore something of an exercise in cryptographic archaeology. In the table below, we list all the mechanisms and identify those that have been retained for version 2.40 as current mechanisms (C) and historic mechanisms (H).
We also give an indication of the current state of the art of public cryptanalysis of the cipher by giving a recommendation as to whether the cipher is suitable for use to support legacy applications or for new applications. As usual we draw on on the 2013 ENISA Algorithms, Key Sizes and Parameters Report, though only six block ciphers are covered there, one of which (Kasumi) is not in PKCS#11. Explanatory notes on the recommendations appear below the table: essentially, for ciphers that are not covered in the report, we follow the ENISA recommendations on key size and block size, and examine the best publicly known cryptanalysis results.
|Cipher||v2.20||v2.40||ok legacy||ok future|
|DES3 (2 or 3 key)||✓||C||✓||×|
|BLOWFISH (80+ bit keylength)||✓||C||✓||×|
Historic Ciphers: RC2, CAST, SKIPJACK, BATON, DES, IDEA,…
All the ciphers that have been moved to the “historic” category of PKCS#11 v2.40 are no longer suitable for use, even for legacy applications. They include ciphers with short block sizes, short (or short default) key sizes, known cryptanalytic weaknesses such as related-key attacks or just an absence of good public cryptanalysis thanks to their obscurity that dates from the export-control period of cryptographic history.
We give the ENISA recommendation. The short blocksize precludes recommendation for future applications.
Recommendations taken from the ENISA report. Note the requirement to use at least 80 bit keys. The recommendation to only use Blowfish for legacy applications is based on the short (64 bit) block size.
AES is described by the ENISA report as the blockcipher of choice for future applications. Some vectors of attack have been proposed based on the algebraic structure of the cipher but none of these are thought to indicate practical attacks.
Twofish was an unchosen finalist for the AES competition and so received a fair amount of cryptanalytic attention in the late 90’s. No significant weaknesses have been found, and since key sizes and block sizes are at least 128 bits it is suitable for ongoing use. It is available in OpenPGP.
Recommendations taken from the ENISA report. Available in TLS.
SEED is a blockcipher designed by the Korean national security agency in 1998. It has a 128 bit block size and 128 bit key size. There are some cryptanalytic results on SEED but currently nothing close to a practical attack.
ARIA is a block cipher similar to AES. There are some public cryptanalytic results but so far no practical attacks.
GOST 28147-89 has a 64-bit blocksize and a 256-bit keysize. There are no publicly known practical attacks, even though a number of papers have cited weaknesses.
Cryptosense offers a free whitepaper on PKCS#11 security, covering cryptanalytic attacks, key management errors, and more.