[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms
On Thu, 12 Jun 2003, Eric Rescorla wrote:
> Paul Hoffman / VPNC <email@example.com> writes:
> > At 10:22 AM -0400 6/12/03, Paul Koning wrote:
> > >96 is probably enough but it's not a common keysize, so 128 makes
> > >sense.
> > But only if you want to eliminate TripleDES, whose key size is 112
> > bits. No one counts the parity bits as meaningful.
> As I understand RFC 2451, the 3DES we uses is 3-key 3DES in
> EDE mode, so the effective key size should be 168 bits.
For a cryptographical standpoint, there may be 168 distinct key bits that
affect the ciphertext, but it is well known that you can break 3DES with
far less work than O(2**168) effort. There is a meet-in-the-middle attack
that (with a lot of memory) brings the effort down to around O(2**112),
which is what I assume Paul was refering to. In addition, if you have
vast quantities of known plaintext encrypted with the same key, Stephan
Lucks' attack becomes interesting, which reduces the effort a bit more
(I don't have a solid estimate at hand).
Neither of these attacks are practical given current current limitations,
but one should remember that they do exist.