[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DES-XEX3 was: A little social engineering

Goodness, a lot of traffic the past two days!

> From: "Perry E. Metzger" <perry@piermont.com>
> Rich Graveman writes:
> > However, even having read the last two days' comments about performance,
> > I think we should take time to consider DESX, which also appears to have
> > the advantages above at single DES performance.
> If I remember correctly DESX just "whitens" DES with a repeated XOR of
> each block against a static key value. My gut instinct is that I don't
> trust that much. I think of it as multiple encryption of DES and a
> repeated XOR pad, and certainly given that the repeated XOR pad alone
> is completely trivial to break, I'm not sure why I would trust the
> combination of DES with a trivial algorithm...
> Anyway, it doesn't give me comfort.
My memory (from Schneier, Byte, and CryptoBytes) is that this extends
the DES 56-bits key strength up to about 120-bits for brute-force, and
boosts the chosen plaintexts from 2**47 to 2**60 for differential.

Even if my memory is slightly wrong on the numbers, but that's pretty
good for a tiny amount of effort, and probably worthwhile.

Also, the old Photuris attribute extensions -02 draft had numerous
attributes defined so that ESP could be negotiated with all the subtle
variations, without defining a slew of transforms.  In Photuris, you
would simply negotiate: ESP, XOR, DES-CBC, XOR.

Never-the-less, Oakley is not as flexible, so I've agreed to write up
DES-XEX3-CBC for ANX Security.  Should be ready by tomorrow.

If you'd read draft-simpson-ipsec-enhancement-01.txt, you'll note we
list several alternatives.  One is to XOR a pair of PRNG blocks against
each DES block.  Fast and almost as easy.

So, while I'm at it, I'll write up DES-GEG3-CBC, too!

    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2