[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES with 40-bit key?

On Mon, 29 Mar 1999, Ari Huttunen wrote:
> ...the only MUST IMPLEMENT algorithm for ISAKMP
> and IPSEC is 3DES, the issue of what to do with
> export control rises. So, assume that export
> control limits the key length to 40 bits. How
> would I specify and negotiate this with IKE?

You can't.

Even in the days when the MUST algorithm was 1DES, the key was 56 bits,
not 40.  3DES's key length is fixed at 168 bits.  IPSEC has never had any
officially-defined provision for doing anything as weak as 40-bit keys;
the IETF has fairly consistently taken the position that specifications
for network security must not be watered down to please oppressive

You cannot build a standard-conforming IPSEC implementation which
restricts keys to 40 bits (or, after the pending changes, 56 bits).  It's
not possible. 

                                                          Henry Spencer

Follow-Ups: References: