[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Weak keys
Date: Thu, 16 Apr 1998 15:32:21 -0700
From: "Derrell D. Piper" <ddp@network-alchemy.com>
>It also doesn't sound like it will interoperate if new weak keys are
>discovered and one side is updated to recognize those weak keys (since
>the two sides will extract different substrings from the keying
>material). After all, the listing of weak keys is subject to growth
>as more is learned about the systems in question.
The side that's been updated could just initiate a new rekey, assuming that
the other side wouldn't be smart enough to do so.
This works. I would also point out that an algorithm like DES has
received enough attention from the cryptographic comminity that it is
unlikely that new weak keys will be found. There may be new attacks
which might make us decide not to use the algorithm at all, but weak
keys tend to be relatively early in the life cycle --- ideally before
the algorithm is published, if there has been sufficient prepublication
review.
If we're using relatively new ciphers that aren't proven, then that's
much more of an issue. Currently in IKE there is no mention of needing
to do anything with weak keys for anything other than DES. Given that
(1) it's not clear to me that it is wise to use a relatively new
algorithm, and (2) weak keys are rare enough that it's not clear it's
worth it to worry about such cases anyway.
(It turns out that with DES in particular, worrying about weak keys is
not particularly useful, since an attacker wouldn't be able to tell if a
weak key was used. All a weak key means for DES is that there is some
other DES key which which if used to encrypt the ciphertext, will yield
the plaintext. Even assuming the attacker knew that a weak DES key were
used, I can't see how the attacker would be able to exploit this fact,
especially in the context of IKE phase 1.)
- Ted
Follow-Ups:
References: