[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new second mandatory IPsec cipher



In article <3.0.6.32.19990713132446.00805420@127.0.0.1>,
Rodney Thayer  <rodney@ssh.fi> wrote:
> I think we need to have a second cipher to use, in the event 3DES is
> found to be unsafe.

If this is the indeed the only goal, then I suggest that DESX is not the
right answer.  It's not different enough to provide the needed diversity.
I find it difficult to imagine a scenario where 3DES gets broken yet DESX
somehow remains untarnished.

Don't get me wrong---I think DESX is a nice cipher, and it gives wonderful
performance for the provided assurance and security level---but if the sole
criterion is to provide a secure backup cipher in case 3DES fails, DESX
seems like the wrong choice.

On the remaining choices (Blowfish or CAST-128), I offer no opinions.