[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: Danny.Nessett@Eng*Subject*: Quantity of plaintext/ciphertext required for DES crypto

Dan -- It is somewhat counterintuitive that the known plaintext attack requires less data than the chosen plaintext attack, and a little surprising, but not contradictory, since every known plaintext attack is a chosen plaintext attack as well. I think 2^32 is a better bound than 2^43, at least for certain modes of DES. For instance, after 2^32 blocks in CBC mode, you expect to see two identical ciphertext blocks, say c[i] and c[j]; the difference between their predecessors will match the difference between the corresponding plaintext blocks, i.e., p[i] xor p[j] = c[i-1] xor c[j-1] Information thus starts to leak after 2^32 blocks (square root of the message space). I would recommend 2^32 blocks as the limit for the lifetime of a key, and that takes care of the 2^43/2^47 attacks as well. Feel free to summarize or repost my comments. -- Burt ======= This suggests that another way to meet the cryptoanalytic threat to host-to-host keying is to change the session key well before 2^32 plaintexts have been encrypted. Consequently, I think that requiring IPv6 security implementations to support user-to-user keying is too limiting. They can adequately meet this threat by judicious session key management. Dan

- Prev by Date:
**Signing only your own public component** - Next by Date:
**Quantity of plaintext/ciphertext required for DES crypto** - Prev by thread:
**Signing only your own public component** - Next by thread:
**Quantity of plaintext/ciphertext required for DES crypto** - Index(es):