[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES keys



I think this might be misleading:

          The size of the exponent is entirely implementation dependent,
          is unknown to the other party, and can be easily changed.

Both parties must agree on the minimum acceptable exponent size.  It
is not enough for one party to say "I need 56 bits of key so I'll use
a 112 bit exponent" and for the other to say "I need 112 bits of key
so I'll use a 224 bit exponent."  The resulting strength would be the
lesser of the two choices.  So, if both parties want to get keys from
one DH exchange, they've got to agree on the goal.

I am uncertain about the entropy relationship of "keying material" and
"shared secret".  If the shared secret were based on 256-bit exponents,
would this result in an effective 128-bits of "keying material"?  I can't
quite separate the notion of actual bitstring length from the strength
of the keying material in this paragraph:

    The modular exponentiation, elliptic curve, and key generator
    algorithms provide a number of bits of keying material. Use of an
    algorithm which produces a fewer number of keying bits than required
    for a selected transform results in less robust security than would
    otherwise be expected.

I'm not sure how to rewrite the paragraph, but it's got to include these
four notions:

1. length of the shared secret (depends on the modulus or field size)

2. strength of the shared secret (depends on the minimum exponent size
used by Alice and Bob)

3. length of the bitstring of the resulting keying material
(depends on the details of the key generator algorithm)

4. strength of the keying material (should be the minimum of the length of
the keying material bitstring and one-half the minimum exponent).

Both the strength and the length must be appropriate for the resulting
keys (which presumably have strength nearly equal to length).



Follow-Ups: References: