[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: 3DES with 40-bit key?
Yes me too. I don't need these e-mails clogging up my mailbox right now.
-----Original Message-----
From: Gary Hines [SMTP:GHines@vpnet.com]
Sent: Monday, March 29, 1999 4:41 PM
To: ipsec@lists.tislabs.com; 'jim@mentat.com'
Subject: RE: 3DES with 40-bit key?
How do I get off this list?
> ----------
> From: jim@mentat.com[SMTP:jim@mentat.com]
> Sent: Sunday, March 28, 1999 11:03 PM
> To: ipsec@lists.tislabs.com
> Subject: Re: 3DES with 40-bit key?
>
> [ NOTICE! This list will be hosted at lists.tislabs.com as of March 26.
> There is no need to resubscribe, if you are on the list, you will remain
> on it. Just begin sending posts, and any administrative requests to
> lists.tislabs.com as of now. List mail to tis.com will cease to be
> delivered as of March 26, 1999. ]
>
> Ari Huttunen wrote:
>
> > Many of you will think this issue is braindead.
> > I agree. However, as I understand that from now
> > on the only MUST IMPLEMENT algorithm for ISAKMP
> > and IPSEC is 3DES, the issue of what to do with
> > export control rises. So, assume that export
> > control limits the key length to 40 bits. How
> > would I specify and negotiate this with IKE?
>
> I wouldn't say it's a braindead idea -- just that it's wrong. 3DES is
> defined in RFC 2451 as having a 192-bit key; 168 bits participate in
> the key schedule. The key length is not negotiable for this cipher.
> If you were to do the equivalent of the CDMF transform to create a
> DES-like cipher with 40 bits of strength, it wouldn't be DES;
> similarly, a 40-bit version of 3DES would not be 3DES, and you would
> not have implemented this cipher, so you would not have satisfied any
> MUST IMPLEMENT clause.
>
> If you did something like this and tried to pass it off as a conforming
> IPSec implementation, it would be fraudulent. If you can't get export
> licenses for the algorithms you want, then you can't export them.
> Simple as that.
>
> By the way, the "weak ciphers for US export" limit has been raised to
> 56 bits with a BXA review.
>
> Jim Gillogly
>