[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question regarding mandatory CBC-DESSupport

To: ipsec@TIS.COM
Subject: Question regarding mandatory CBC-DESSupport
From: pcalhoun@usr.com
Date: Fri, 19 Jul 1996 10:35:07 -0500
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Sender: ipsec-approval@neptune.tis.com

     The IPSEC spec defines that all implementations MUST support CBC-DES. 
     I have a question regarding the export laws which are associated with 
     it. 
     
     My understanding is that if I make the key 40 bits, then there is no 
     export problem. However, the KDC system that we have implemented 
     generates 128 bit session keys, and these keys are short lived 
     (meaning that they are one time keys). I believe that DES has 
     restricted key length of 64 bits, so I suppose I must truncate the 
     session key to that length.
     
     Has anyone ever tried to export a product which would do this?? It 
     seems that the Government would not allow me to do so. One method, I 
     suppose would be to only use the first 40 bits of the session key but 
     this considerably weakens the protocol's security.
     
     I would appreciate any help,
     
     Pat R. Calhoun                                e-mail: pcalhoun@usr.com 
     Project Engineer - Lan Access R&D                phone: (847) 933-5181 
     US Robotics Access Corp.

Follow-Ups:

Re: Question regarding mandatory CBC-DES support

From: John Gilmore <gnu@toad.com>

Prev by Date: Re: Key Management, anyone?
Next by Date: Re: Key Management, anyone?
Prev by thread: Re: Key Management, anyone?
Next by thread: Re: Question regarding mandatory CBC-DES support
Index(es):
- Main
- Thread