[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

Scott Fluhrer <sfluhrer@cisco.com> writes:

> On Thu, 12 Jun 2003, Eric Rescorla wrote:
> > Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
> >
> > > At 10:22 AM -0400 6/12/03, Paul Koning wrote:
> > > >96 is probably enough but it's not a common keysize, so 128 makes
> > > >sense.
> > >
> > > But only if you want to eliminate TripleDES, whose key size is 112
> > > bits. No one counts the parity bits as meaningful.
> > As I understand RFC 2451, the 3DES we uses is 3-key 3DES in
> > EDE mode, so the effective key size should be 168 bits.
> For a cryptographical standpoint, there may be 168 distinct key bits that
> affect the ciphertext, but it is well known that you can break 3DES with
> far less work than O(2**168) effort.  There is a meet-in-the-middle attack
> that (with a lot of memory) brings the effort down to around O(2**112),
> which is what I assume Paul was refering to.
Uh, "lot" means O(2**56), no?

>>  In addition, if you have
> vast quantities of known plaintext encrypted with the same key, Stephan
> Lucks' attack becomes interesting, which reduces the effort a bit more
> (I don't have a solid estimate at hand).
> Neither of these attacks are practical given current current limitations,
> but one should remember that they do exist.

Sure, but under practical conditions the effective key size of
3DES-EDE3 168 bits and it's conventional to refer to it this way.
In the same way, it's conventional to refer to DES as having a strength
of 56 bits despite the fact that if you somehow laid your hands on 2^47
chosen plaintexts the complexity of DES would be a measly O(2^47).


[Eric Rescorla                                   ekr@rtfm.com]