[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 40bit DES?

To: rgm-sec@htt-consult.com
Subject: Re: 40bit DES?
From: Paul Koning <pkoning@xedia.com>
Date: Wed, 13 May 1998 11:23:20 -0400
Cc: ipsec@tis.com
References: <9805122209.AA30010@ornavella.watson.ibm.com><3.0.5.32.19980513000415.0096f700@homebase.htt-consult.com>
Sender: owner-ipsec@ex.tis.com

>>>>> "Robert" == Robert Moskowitz <rgm-sec@htt-consult.com> writes:

 Robert> At 06:09 PM 5/12/98 -0400, Ran Canetti wrote:
 >>> > there seems to be 3 things needed for 'US exportable' IPsec: >
 >>> > A 40bit DES ESP algorithm > A 40bit DES for IKE > A 512 modulus
 >>> for D-H > > All three items handled by one draft might be called:
 >>> 
 >>> Only the first entry is required. You can leave the IKE
 >>> encryption and D-H moduli (and RSA key strengths) at their
 >>> normal, standard levels.
 >>> 
 >> Very good point. Just to stress: the cryptographic strength of the
 >> algorithms in IKE has nothing to do with the strength of the data
 >> encryption. It only determines the level of confidence in the
 >> authenticity and secrecy of the agreed key (however long or short
 >> it chooses to be). No reason to weaken that.
 >> 
 Robert> Actually there appears to be a reason.  there are vendors
 Robert> have problems with getting export license for IKE, too
 Robert> strong.

Perhaps the intent is to weaken the ISAKMP SA, so you can read the
quick mode exchanges?  Sounds like a good argument to turn on PFS.

	paul

Follow-Ups:

Re: 40bit DES?

From: Robert Moskowitz <rgm-sec@htt-consult.com>

References:

Re: 40bit DES?

From: Ran Canetti <canetti@watson.ibm.com>

Re: 40bit DES?

From: Robert Moskowitz <rgm-sec@htt-consult.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-arch-sec-05.txt
Next by Date: Re: 40bit DES?
Prev by thread: Re: 40bit DES?
Next by thread: Re: 40bit DES?
Index(es):
- Main
- Thread