[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 40bit DES?
>>>>> "Robert" == Robert Moskowitz <rgm-sec@htt-consult.com> writes:
Robert> At 06:09 PM 5/12/98 -0400, Ran Canetti wrote:
>>> > there seems to be 3 things needed for 'US exportable' IPsec: >
>>> > A 40bit DES ESP algorithm > A 40bit DES for IKE > A 512 modulus
>>> for D-H > > All three items handled by one draft might be called:
>>>
>>> Only the first entry is required. You can leave the IKE
>>> encryption and D-H moduli (and RSA key strengths) at their
>>> normal, standard levels.
>>>
>> Very good point. Just to stress: the cryptographic strength of the
>> algorithms in IKE has nothing to do with the strength of the data
>> encryption. It only determines the level of confidence in the
>> authenticity and secrecy of the agreed key (however long or short
>> it chooses to be). No reason to weaken that.
>>
Robert> Actually there appears to be a reason. there are vendors
Robert> have problems with getting export license for IKE, too
Robert> strong.
Perhaps the intent is to weaken the ISAKMP SA, so you can read the
quick mode exchanges? Sounds like a good argument to turn on PFS.
paul
Follow-Ups:
References: