[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: new second mandatory IPsec cipher
In message <199907132041.NAA31539@blowfish.isaac.cs.berkeley.edu>, David Wagner
writes:
>In article <3.0.6.32.19990713132446.00805420@127.0.0.1>,
>Rodney Thayer <rodney@ssh.fi> wrote:
>> I think we need to have a second cipher to use, in the event 3DES is
>> found to be unsafe.
>
>If this is the indeed the only goal, then I suggest that DESX is not the
>right answer. It's not different enough to provide the needed diversity.
>I find it difficult to imagine a scenario where 3DES gets broken yet DESX
>somehow remains untarnished.
>
>Don't get me wrong---I think DESX is a nice cipher, and it gives wonderful
>performance for the provided assurance and security level---but if the sole
>criterion is to provide a secure backup cipher in case 3DES fails, DESX
>seems like the wrong choice.
>
>On the remaining choices (Blowfish or CAST-128), I offer no opinions.
>
I agree. DESX is intended to be a DES variant that's immune to brute-force
attacks. It's not necessarily stronger against a cryptanalytic attack.
The reason to have two new ciphers is precisely to defend against a sudden new
successful attack on a single standard. Having the two so closely related
would negate that advantage.
My own personal choice is CAST. Blowfish has a big key schedule, and I'm not
that fond of some of its construction. I'd really like AES, but of course
that doesn't exist yet.
I will be at CRYPTO next month, and this is indeed a question I was planning
on discussing.