[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DES futile?

To: ipsec@tis.com
Subject: DES futile?
From: "William Allen Simpson" <wsimpson@greendragon.com>
Date: Sat, 21 Jun 97 18:46:49 GMT
Sender: owner-ipsec@ex.tis.com

> From: "Perry E. Metzger" <perry@piermont.com>
> "William Allen Simpson" writes:
> > Agreed.  If we change the ephemeral keys fast enough, that should be
> > good for data with time value of no more than a day or two.
>
> I disagree. See the "Big Seven" paper:
> ftp://ftp.research.att.com/dist/mab/keylength.txt
> ftp://ftp.research.att.com/dist/mab/keylength.ps
>
I've read it.  In some retrospect, you are correct; it not only depends
on the time value of the data, but also the size of the attacker.

Since you are in an industry where a few million $ here and there is no
problem, you are saying that we need a _basic_ protection against large
corporations and major governments?

That is, are you saying we should abandon DES as mandatory?


> > My recommendation is to poke a stick in the sand at CAST5-128.
>
> Unfortunately, it is too new. I'd say we mandate DES as we do now, and
> recommend 3DES, which has a very solid amount of research behind
> it. CAST is probably a good idea in a couple of years when its been
> beaten up more.
>
That's why I'd poke a stick in the sand.  A direction.

It sounds to me like you want something "sooner".


> > We could certainly use it for a few years until AES is defined and
> > analysed.  But do we trust the AES process?  Look how NBS/NIST weakened
> > DES from 112 to 56 bit keys 20 years ago!  Folly!
>
> They didn't weaken it, Bill. It turns out that because of Differential
> Cryptanalysis, LUCIFER had an inherent strenth that was far lower than
> the number of keys. They only made the key length correspond to reality.
>
Mea Culpa, I went back and re-read Schneier on Lucifer, and you are
correct.

Funny how it is the "urban legend" that one remembers most clearly.

I still don't trust secret design criteria and analysis!  Let's remember
that we are designing for the Internet, not the US NIST.  Open, rough
consensus, running code.

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Follow-Ups:

Re: DES futile?

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: What price security?
Next by Date: Re: calculating IVs
Prev by thread: Re: Time value and 56-bit DES [Re: CAST5-128 was: A little socialengineering]
Next by thread: Re: DES futile?
Index(es):
- Main
- Thread