[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Slicing and dicing

To: Phil Karn <karn@qualcomm.com>
Subject: Re: Slicing and dicing
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Fri, 12 Sep 1997 12:35:56 -0400
Address: 1 Amherst St., Cambridge, MA 02139
Cc: karl@Ascend.COM, rodney@sabletech.com, ipsec@tis.com, karn@qualcomm.com
In-Reply-To: Phil Karn's message of Thu, 11 Sep 1997 22:40:23 -0700 (PDT),<m0x9OSt-000HUqC@laptop.ka9q.ampr.org>
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

   Date: Thu, 11 Sep 1997 22:40:23 -0700 (PDT)
   From: Phil Karn <karn@qualcomm.com>

   How likely are we to generate a weak key by random accident? Is it
   worth worrying about?

Well, there are 4 weak keys, and 16 semi-weak keys, out of possible
2**56 keys.  So the probability of picking one of these weak keys is 
(20 * 2**-56).  

Now, the property of having a weak or semi-weak key K is that there is
exactly one key (in the case of the weak key, itself), K', such that
encrypting with K and then encrypting with K' results in the original
plaintext.  Given that we are using CBC mode, the random IV also must be
the same.  

Note that this is also only a problem if we some how end up
re-encrypting the encrypted packet again, such as in applications where
you might be using two layers of ESP for some reason.  In those cases,
the probability of trouble would be (20 * 2**-56 * 2**-56 * 20**-64), or
(20 * 2**-176), or 2 * 10**-52.

						- Ted

Follow-Ups:

Re: Slicing and dicing

From: Cheryl Madson <cmadson@cisco.com>

Re: Slicing and dicing

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

References:

Re: Slicing and dicing

From: Phil Karn <karn@qualcomm.com>

Prev by Date: Re: Slicing and dicing
Next by Date: Re: Slicing and dicing
Prev by thread: Re: Slicing and dicing
Next by thread: Re: Slicing and dicing
Index(es):
- Main
- Thread