[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Quantity of plaintext/ciphertext required for DES crypto
- To: Danny.Nessett@Eng
- Subject: Quantity of plaintext/ciphertext required for DES crypto
Dan --
It is somewhat counterintuitive that the known plaintext attack
requires less data than the chosen plaintext attack, and a little
surprising, but not contradictory, since every known plaintext attack
is a chosen plaintext attack as well.
I think 2^32 is a better bound than 2^43, at least for certain modes
of DES. For instance, after 2^32 blocks in CBC mode, you expect to see
two identical ciphertext blocks, say c[i] and c[j]; the difference
between their predecessors will match the difference between the
corresponding plaintext blocks, i.e.,
p[i] xor p[j] = c[i-1] xor c[j-1]
Information thus starts to leak after 2^32 blocks (square root of the
message space). I would recommend 2^32 blocks as the limit for the
lifetime of a key, and that takes care of the 2^43/2^47 attacks as
well.
Feel free to summarize or repost my comments.
-- Burt
=======
This suggests that another way to meet the cryptoanalytic threat to host-to-host
keying is to change the session key well before 2^32 plaintexts have been
encrypted. Consequently, I think that requiring IPv6 security implementations
to support user-to-user keying is too limiting. They can adequately meet
this threat by judicious session key management.
Dan