[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES with 40-bit key?

Ari Huttunen wrote:
> So, which algorithm would you recommend for an export hampered
> IPSec box to implement? Remember that it will have to be interoperable
> with the other routers out there, which by now will only have to support
> 3DES

If you need to interoperate with a router that uses real 3DES,
you need real 3DES.  If it hands you a 192-bit key and you try
to send it data encrypted with only 40 bits of that, it'll fail
the authentication.  I don't see that there's an issue.  If you
don't like the fact that you can't legally export it from the
U.S., see your Congressman: there's a bill in process that offers
export relief if someone outside the US and Canada is selling the
same sort of thing.

> > By the way, the "weak ciphers for US export" limit has been raised to
> > 56 bits with a BXA review.
> I wonder... If I remember correctly what the Wassenaar agreement
> stated, 56 bits was allowed for some uses, while still not allowed
> for all possible uses.

You can use 56 bits now for anything you used to be able to use
40 bits for, again assuming you've gotten the clearance from BXA.
Of course, there are still countries for which you can't get a
license.  You can use stronger crypto for certain customers --
primarily fixed targets, mostly in the financial arena.  See
http://www.bxa.doc.gov/Encryption/EncrypolicyUpdate.htm .

	Jim Gillogly