[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3DES with 40-bit key?

At 08:13 PM 3/29/99 -0500, Henry Spencer wrote:
> On Mon, 29 Mar 1999, Dave Perks wrote:
>> Is something like http://www.counterpane.com/low-entropy.html an option?
>> ABSTRACT: We introduce the notion of key stretching, a mechanism to
>> convert short s-bit keys into longer keys...

1) Key stretching, a.k.a. an iterated hash, is an old and limited notion.
UNIX's crypt(3) password format is an example, and illustrates why
this kind of protection doesn't last long.

2) Key amplification is a much better way to negotiate an
"honest 168 bit" key from a smaller key in a network protocol.

3) Henry is right that IKE was not designed to tolerate anything
less than full size keys:

> Fortunately (unfortunately?), the IKE mechanism for IPSEC key negotiation
> is completely defined and does not include any such chicanery.  When it
> keys 3DES, it does it with 168 bits, not with 40 "stretched" to 168.  You
> can't interoperate with it without using an honest 168 bits.

If you legitimately need to use smaller keys, you might consider
an extension based on a key amplification method, like EKE.
Papers are at: <world.std.com/~dpj/links.html>

-- dpj