[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DES <weak> key list?

To: Steven Bellovin <smb@research.att.com>
Subject: Re: DES <weak> key list?
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Wed, 10 Sep 1997 14:53:23 -0400
Address: 1 Amherst St., Cambridge, MA 02139
Cc: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>, ipsec@tis.com
In-Reply-To: Steven Bellovin's message of Wed, 10 Sep 1997 10:37:17 -0400,<199709101437.KAA09123@postal.research.att.com>
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

   Date: Wed, 10 Sep 1997 10:37:17 -0400
   From: Steven Bellovin <smb@research.att.com>

   I confess that I'm not worried about the possibility of a weak key being
   chosen at random.  Even if one is, so what?  The problem with a weak key
   is that double-encryption with it yields the original plaintext.  We're
   not double-encrypting in general; if there are two independent layers of
   encryption, the odds on hitting a weak key in both is about 1 in 2^108.
   I'll take my chances...

It's even better than that.  Given that we're using CBC, you'd have to
doubly encrypt with the same IV, and the odds that they would be the
same make the probability of lossage even lower.  

It's really not clear this is worth us worrying about it...

							- Ted

Follow-Ups:

Re: DES <weak> key list?

From: Rodney Thayer <rodney@sabletech.com>

References:

Re: DES <weak> key list?

From: Steven Bellovin <smb@research.att.com>

Prev by Date: Re: DES <weak> key list?
Next by Date: No Subject
Prev by thread: Re: DES <weak> key list?
Next by thread: Re: DES <weak> key list?
Index(es):
- Main
- Thread