Re: 40bit DES?

["Perry E. Metzger" <perry@piermont.com>]

Eric Vyncke writes:
> I'm an European guy working for an American company :-)
> and I have talked with dozens of organizations on this topic.
> 
> May I just add my few 0.01 EUR to the discussion ?
> 
> 1) There *are* countries which forbid to use of 40+ encryption
> (France is the most known!). This is a local issue only and
> has nothing to do with US.

Then, why use any encryption at all? If you need latency added to your 
application, then use a timer function.

> 2) There *are* applications which are secured enough with a
> 40-bit encryption (think about grammar school, small/medium
> business with nearly no industrial secret, ...).

If it is worth spending the CPU cycles that ISAKMP takes and then that 
the DES algorithm is going to take, then it is worth encrypting
right. Otherwise, why add the delay and expense? If you aren't going
to add security, why go through the whole ISAKMP rigamarole?

> 1) + 2) makes the standardization of 40-bit ESP mandatory. period.

Since 1) and 2) are useless, you haven't made any case here.

People still seem to have this delusion that 40 bits is somehow better 
than nothing. It is WORSE than nothing. It provides no security, but
costs money. It gives you an illusion at the expense of heavy CPU
utilization. If you really need latency added, why not just put in
delay loops?

> PS: do not take my e-mail message as it is not. If someone
> ever presented 40-bit encryption as secure enough for *any*
> application, I would call his/her statement like a lie...

If it isn't adding security, why is it worth an engineer's time to
write, a salesman's time to sell, and a customer's money to buy?

Perry

---

References:

• Re: 40bit DES?
• From: Eric Vyncke <evyncke@cisco.com>

---

• Prev by Date: Re: 40bit DES?
• Next by Date: RE: 40bit DES?
• Prev by thread: Re: 40bit DES?
• Next by thread: Re: 40bit DES?
• Index(es):
  • Main
  • Thread