[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 3DES with 40-bit key?

To: "'Gary Hines'" <GHines@vpnet.com>, "ipsec@lists.tislabs.com" <ipsec@lists.tislabs.com>, "'jim@mentat.com'" <jim@mentat.com>
Subject: RE: 3DES with 40-bit key?
From: Scott Baldwin <scottb@ktc.com>
Date: Tue, 30 Mar 1999 07:56:09 -0600
Sender: owner-ipsec@lists.tislabs.com

Yes me too.  I don't need these e-mails clogging up my mailbox right now.

-----Original Message-----
From:	Gary Hines [SMTP:GHines@vpnet.com]
Sent:	Monday, March 29, 1999 4:41 PM
To:	ipsec@lists.tislabs.com; 'jim@mentat.com'
Subject:	RE: 3DES with 40-bit key?

How do I get off this list?

> ----------
> From: 	jim@mentat.com[SMTP:jim@mentat.com]
> Sent: 	Sunday, March 28, 1999 11:03 PM
> To: 	ipsec@lists.tislabs.com
> Subject: 	Re: 3DES with 40-bit key?
> 
> [ NOTICE!  This list will be hosted at lists.tislabs.com as of March 26.
> There is no need to resubscribe, if you are on the list, you will remain
> on it.  Just begin sending posts, and any administrative requests to
> lists.tislabs.com as of now.  List mail to tis.com will cease to be
> delivered as of March 26, 1999.  ]
> 
> Ari Huttunen wrote:
> 
> > Many of you will think this issue is braindead. 
> > I agree. However, as I understand that from now
> > on the only MUST IMPLEMENT algorithm for ISAKMP
> > and IPSEC is 3DES, the issue of what to do with
> > export control rises. So, assume that export
> > control limits the key length to 40 bits. How
> > would I specify and negotiate this with IKE?
> 
> I wouldn't say it's a braindead idea -- just that it's wrong.  3DES is
> defined in RFC 2451 as having a 192-bit key; 168 bits participate in
> the key schedule.  The key length is not negotiable for this cipher.
> If you were to do the equivalent of the CDMF transform to create a
> DES-like cipher with 40 bits of strength, it wouldn't be DES;
> similarly, a 40-bit version of 3DES would not be 3DES, and you would
> not have implemented this cipher, so you would not have satisfied any
> MUST IMPLEMENT clause.
> 
> If you did something like this and tried to pass it off as a conforming
> IPSec implementation, it would be fraudulent.  If you can't get export
> licenses for the algorithms you want, then you can't export them.
> Simple as that.
> 
> By the way, the "weak ciphers for US export" limit has been raised to
> 56 bits with a BXA review.
> 
> 	Jim Gillogly
>

Prev by Date: RE: IPSec IP Telephony:End to End or Segment
Next by Date: Re: IPSec IP Telephony:End to End or Segment
Prev by thread: RE: 3DES with 40-bit key?
Next by thread: Re: 3DES with 40-bit key?
Index(es):
- Main
- Thread