[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES keys

To: ipsec@ans.net
Subject: Re: 3DES keys
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Fri, 29 Sep 95 20:59:05 GMT

> From: Hilarie Orman <ho@cs.arizona.edu>
> I think this might be misleading:
>
>           The size of the exponent is entirely implementation dependent,
>           is unknown to the other party, and can be easily changed.
>
Phil's words, so I'll let him defend it.

But, I'm not sure that I agree with your analysis here:

> Both parties must agree on the minimum acceptable exponent size.  It
> is not enough for one party to say "I need 56 bits of key so I'll use
> a 112 bit exponent" and for the other to say "I need 112 bits of key
> so I'll use a 224 bit exponent."  The resulting strength would be the
> lesser of the two choices.  So, if both parties want to get keys from
> one DH exchange, they've got to agree on the goal.
>
As you know, crypto-math isn't my strength.  But, my understanding of
the basic function of exponentiation is that multiplying two unknowns
together yields an uncertainty size which is the _sum_ of the lengths
of the unknowns.  That's how it works for standard errors elsewhere.

For your examples, one party uses 112 bits and the other uses 224,
between them they have 336 bits of uncertainty.  Each doesn't care that
they have more than needed, only that they got enough.

Moreover, the leading zero bits are uncertain, too.  That is, within the
moduli size of 1024, if the exponent could be 1024 or 512 or 256 or
anything in between, then those all have 1024 bits of uncertainty AS
VIEWED FROM AN ATTACKER.  Correct?

That may be what Phil meant about exponent size being an "unknown", even
to the other party.


> I am uncertain about the entropy relationship of "keying material" and
> "shared secret".  If the shared secret were based on 256-bit exponents,
> would this result in an effective 128-bits of "keying material"?

The "keying material" is generated from the "shared secret".  I don't
understand why a 128-bit hash of an unknown (shared-secret) with entropy
of 128-bit strength wouldn't yield 128-bits of strength in the hash?

How does the hash become twice as certain?

> I can't
> quite separate the notion of actual bitstring length from the strength
> of the keying material in this paragraph:
>
Good point.

> I'm not sure how to rewrite the paragraph, but it's got to include these
> four notions:
>
Thanks.  I agree the terms need better detailing, and that they are
different for modular exponentiation than elliptic curves, and also in
the key generation; thus, need elaboration in their respective sections.

> 4. strength of the keying material (should be the minimum of the length of
> the keying material bitstring and one-half the minimum exponent).
>
I don't understand this last.  Where did the 1/2 come from?

(I already disagreed with the "minimum" instead of sum above.)

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Follow-Ups:

Re: 3DES keys

From: Hilarie Orman <ho@cs.arizona.edu>

Prev by Date: Re: 3DES keys
Next by Date: Re: 3DES keys
Prev by thread: Re[2]: 3DES keys
Next by thread: Re: 3DES keys
Index(es):
- Main
- Thread