[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CAST5-128 was: A little social engineering




"William Allen Simpson" writes:
> > From: Robert Moskowitz <rgm3@chrysler.com>
> > Our Default cypher in the docs is 56bit DES, and I am not inclined to
> > change it.
>
> Agreed.  If we change the ephemeral keys fast enough, that should be
> good for data with time value of no more than a day or two.

I disagree. See the "Big Seven" paper: 
ftp://ftp.research.att.com/dist/mab/keylength.txt
ftp://ftp.research.att.com/dist/mab/keylength.ps

> My recommendation is to poke a stick in the sand at CAST5-128.

Unfortunately, it is too new. I'd say we mandate DES as we do now, and
recommend 3DES, which has a very solid amount of research behind
it. CAST is probably a good idea in a couple of years when its been
beaten up more.

> We could certainly use it for a few years until AES is defined and
> analysed.  But do we trust the AES process?  Look how NBS/NIST weakened
> DES from 112 to 56 bit keys 20 years ago!  Folly!

They didn't weaken it, Bill. It turns out that because of Differential
Cryptanalysis, LUCIFER had an inherent strenth that was far lower than
the number of keys. They only made the key length correspond to reality.

> If we state an intention to deploy CAST5-128 widely, then maybe we will
> get a few outside analysts to take a hard look at it.

It takes years to do that sort of analysis, and it will happen
anyway. 3DES is my recommendation.

Perry


References: