[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3DES keys
>
> In Photuris, all the keys are generated by hashing from the
> shared-secret. Assume the shared-secret length is 128-bits, and its
> strength is therefore 64-bits. But given MD5, its 128-bit length
> birthday attack is also 64-bit strength.
>
> So, I don't understand why one would use more than 128 bits for the
> length of the shared-secret. Why would the conservative advice be 256
> bit length?
>
I don't see how MD5's collision resistance is relevant here. MD5 is
being used mainly as a one-way mixing function to make its output appear
uniformly distributed.
Anyhow, the length of the input to MD5 isn't an interesting quantity:
it's the strength (the effective entropy) that matters.
If the input to MD5 can be guessed with 2^64 operations, the output
can also be guessed with 2^64 operations. This is insufficient for
(e.g.) IDEA.
That explains the advice that (conservatively) you want 128 bits of
entropy in the shared secret (which is input to MD5): because (conservatively)
you want 128 bits of entropy in the IDEA key.
Now for discrete-log based key exchange algorithms, 128 bits of entropy
in the shared secret corresponds to a length of 256 bits.
But again, the *length* of the shared secret isn't the fundamental
quantity: the *strength* of the shared secret is the important value;
then you derive the required length by an algorithm-dependent process.
(The relative relationship between length & strength depends on the key
exchange algorithm, while the absolute required strength depends on the
underlying symmetric-key encryption algorithm.)
References:
- Re: 3DES keys
- From: "William Allen Simpson" <bsimpson@morningstar.com>