[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Clarification on 3DES transforms
Date: Thu, 24 Oct 1996 18:55:48 -0400
From: Naganand Doraswamy <naganand@ftp.com>
> 2. Do we need to give an option whether to use inner-CBC or
> outer-CBC or can we assume that we will support only
> outer-CBC. According to Schneier, inner-CBC is less
> secure against differential attacks but is faster to
> implement as you can parallelize encryption.
>
Biham, in his paper "Cryptanalysis of Triple-Modes of
Operation", shows inner-CBC (CBC|CBC|CBC) is weak
requiring 2^34 plaintexts, 2^60 steps, and 2^33 memory
whereas outer-CBC (ECB|ECB|ECB) requires 3
plaintexts, 2^113 steps, and 2^56 memory.
-dpg
To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
cc: Naganand Doraswamy <naganand@ftp.com>, ipsec@TIS.COM
Subject: Re: Clarification on 3DES transforms
Date: Thu, 24 Oct 1996 23:17:05 -0400
From: Steven Bellovin <smb@research.att.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID: <9610250719.aa14757@neptune.TIS.COM>
> DES_Key_I = Truncate(MD5( D_Pad_I | K ),192)
> DES_KEY_I1 = first 64 bits of DES_KEY_I
> DES_KEY_I2 = second 64 bits of DES_KEY_I
> DES_KEY_I3 = third 64 bits of DES_KEY_I
MD5 only produces 128 bits of output, so this is not going to work
very well ... you can't produce I3 because DES_KEY_I only has 128
bits, and you've also wasted 16 bits of entropy because of the @!#^%^&
DES key parity.
Note that if you use SHA instead, you get 160 bits out. If you use
the bits efficiently, you only need 168 (not 192). Where do you find
the remaining 8 bits?
I'm not endorsing the second one, mind you; I want to hear what the
Real Cryptographers(tm) have to say about it..
I don't know if I qualify as a Real Cryptographer, but there is another
alternative worth mentioning. Given that K is long enough, we have
enough input entropy to generate all the DES keys we need. I suggest
using
DES_Key_i = Truncate(MD5( D_Pad_I | i | K), 64)
for i=1, 2, 3. In other words, toss a counter into the mix.
Comments?
References: