[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 40bit DES?

To: Jim Gillogly <jim@mentat.com>
Subject: Re: 40bit DES?
From: johara@newoak.com (John O'Hara)
Date: Tue, 12 May 1998 18:13:56 -0400
CC: chk@utcc.utoronto.ca, rgm-sec@htt-consult.com, ipsec@tis.com
References: <9805121759.AA17332@mentat.com>
Sender: owner-ipsec@ex.tis.com

OK... since you asked. It's not really needed for export. 

While our government will generally grant VPN products a export license
for 56bit IPsec under a "key management infrastructure exemption" and
you can send it all over the world, you can't import it into france
unless it's no stronger than 40 bits.

The main issue is that the french cannot buy strong ( >40 bit) crypto
from any external company without specific pre-authorization.

Arguements about the strength of des40 aside is it really better to
offer them only AH ? or NULL ESP ?. 

So you have to rekey every few minutes, it keeps the crypto chip guys in
beer and peanuts :-).

John O'Hara

Jim Gillogly wrote:
> 
> Tell me again why we want it?  We already have the NULL ESP algorithm,
> which provides a proof of concept of the framework without providing
> security.  Another such algorithm would seem to be overkill.
> 
> Again -- our job is to provide a technical spec to allow people to
> communicate securely.  If we compromise it so that the lowest common
> denominator is insecure, we're wasting our time.
>

References:

Re: 40bit DES?

From: jim@mentat.com (Jim Gillogly)

Prev by Date: Re: 40bit DES?
Next by Date: [Q] SA lookup on receive
Prev by thread: Re: 40bit DES?
Next by thread: RE: 40bit DES?
Index(es):
- Main
- Thread