[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question regarding mandatory CBC-DESSupport
Pat,
One trick that may help you implement both DES-CBC and
comply with a 40 bit key length for general export is to create
a key management system that uses the subset of DES keys that
are used by DES-CDMF (an IBM invention). Normal DES keys are
chosen from a 56 bit space, and CDMF defines a 40 bit subset
of that space that is uniformly distributed across the normal
DES key space. The basic idea is to pick a 40 bit number,
encrypt it with a well known des key to get a 64 bit number,
which is then parity adjusted to be a proper 56 bit des key
stored in eight bytes. The standard DES-CBC algorithm is
used with this key.
--Bob
______________________________ Reply Separator _________________________________
Subject: Question regarding mandatory CBC-DES Support
Author: pcalhoun@usr.com at INTERNET
Date: 7/19/96 10:27 AM
The IPSEC spec defines that all implementations MUST support CBC-DES.
I have a question regarding the export laws which are associated with
it.
My understanding is that if I make the key 40 bits, then there is no
export problem. However, the KDC system that we have implemented
generates 128 bit session keys, and these keys are short lived
(meaning that they are one time keys). I believe that DES has
restricted key length of 64 bits, so I suppose I must truncate the
session key to that length.
Has anyone ever tried to export a product which would do this?? It
seems that the Government would not allow me to do so. One method, I
suppose would be to only use the first 40 bits of the session key but
this considerably weakens the protocol's security.
I would appreciate any help,
Pat R. Calhoun e-mail: pcalhoun@usr.com
Project Engineer - Lan Access R&D phone: (847) 933-5181
US Robotics Access Corp.
Follow-Ups: