[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new second mandatory IPsec cipher



In message <199907132041.NAA31539@blowfish.isaac.cs.berkeley.edu>, David Wagner
 writes:
>In article <3.0.6.32.19990713132446.00805420@127.0.0.1>,
>Rodney Thayer  <rodney@ssh.fi> wrote:
>> I think we need to have a second cipher to use, in the event 3DES is
>> found to be unsafe.
>
>If this is the indeed the only goal, then I suggest that DESX is not the
>right answer.  It's not different enough to provide the needed diversity.
>I find it difficult to imagine a scenario where 3DES gets broken yet DESX
>somehow remains untarnished.
>
>Don't get me wrong---I think DESX is a nice cipher, and it gives wonderful
>performance for the provided assurance and security level---but if the sole
>criterion is to provide a secure backup cipher in case 3DES fails, DESX
>seems like the wrong choice.
>
>On the remaining choices (Blowfish or CAST-128), I offer no opinions.
>
I agree.  DESX is intended to be a DES variant that's immune to brute-force 
attacks.  It's not necessarily stronger against a cryptanalytic attack.

The reason to have two new ciphers is precisely to defend against a sudden new 
successful attack on a single standard.  Having the two so closely related 
would negate that advantage.

My own personal choice is CAST.  Blowfish has a big key schedule, and I'm not 
that fond of some of its construction.  I'd really like AES, but of course 
that doesn't exist yet.

I will be at CRYPTO next month, and this is indeed a question I was planning 
on discussing.