[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clarification on 3DES transforms




Date: Thu, 24 Oct 1996 18:55:48 -0400
From: Naganand Doraswamy <naganand@ftp.com>

> 2. Do we need to give an option whether to use inner-CBC or
> outer-CBC or can we assume that we will support only
> outer-CBC. According to Schneier, inner-CBC is less
> secure against differential attacks but is faster to
> implement as you can parallelize encryption.
>

Biham, in his paper "Cryptanalysis of Triple-Modes of
Operation", shows inner-CBC (CBC|CBC|CBC) is weak
requiring 2^34 plaintexts, 2^60 steps, and 2^33 memory
whereas outer-CBC (ECB|ECB|ECB) requires 3
plaintexts, 2^113 steps, and 2^56 memory.


-dpg


To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
cc: Naganand Doraswamy <naganand@ftp.com>, ipsec@TIS.COM
Subject: Re: Clarification on 3DES transforms 
Date: Thu, 24 Oct 1996 23:17:05 -0400
From: Steven Bellovin <smb@research.att.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9610250719.aa14757@neptune.TIS.COM>

	 > DES_Key_I  = Truncate(MD5( D_Pad_I | K ),192)
	 > DES_KEY_I1 = first 64 bits of DES_KEY_I
	 > DES_KEY_I2 = second 64 bits of DES_KEY_I
	 > DES_KEY_I3 = third 64 bits of DES_KEY_I
	 
	 MD5 only produces 128 bits of output, so this is not going to work
	 very well ...  you can't produce I3 because DES_KEY_I only has 128
	 bits, and you've also wasted 16 bits of entropy because of the @!#^%^&
	 DES key parity.
	 
	 Note that if you use SHA instead, you get 160 bits out.  If you use
	 the bits efficiently, you only need 168 (not 192).  Where do you find
	 the remaining 8 bits?
	 
	 I'm not endorsing the second one, mind you; I want to hear what the
	 Real Cryptographers(tm) have to say about it..

I don't know if I qualify as a Real Cryptographer, but there is another
alternative worth mentioning.  Given that K is long enough, we have
enough input entropy to generate all the DES keys we need.  I suggest
using

	DES_Key_i = Truncate(MD5( D_Pad_I | i | K), 64)

for i=1, 2, 3.  In other words, toss a counter into the mix.

Comments?




References: