Bugtraq mailing list archives
Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC
From: Rogier Wolff <R.E.Wolff () BITWIZARD NL>
Date: Wed, 28 Feb 2001 15:06:22 +0100
Kent Borg wrote:
Rogier Wolff <R.E.Wolff () BITWIZARD NL> wrote (or possibly quoted someone else):The use of double and triple encryption does not always provide the additional security that might be expected.Yes, but an additional step of independent encryption (using a completely unrelated key) should not weaken a good crypto algorithm. For if it did, an attacker could take a message s/he is trying to crack and encrypt it one more time before trying to crack it. I think the problem with 112-bit double-DES was not that it was weaker than single-DES, it was that it wasn't stronger.
Similarly: 3DES isn't stronger than 112 bits. I'm not claiming that 3DES is weaker than 112 bits. I claim that some smart people found that cracking 3DES requires only on the order of 2^112 operations, and that keying 3DES with 112bits of significant key was possible, and that therefore it is useless to use 3DES with more than 112 bits of key. Why is DES keyed with 56 bits, and not 64? Nobody seemed to know until a few years ago someone showed that keyed with 56 or 64 bits, cryptanalysis of DES requires 2^56 operations. The same should be done with 3DES: If cryptanalysis can be done in 2^112 operations, it should be keyed with 112 bits, and not with an arbitrarily higher number. (now if you do the 112->168 expansion of the key foolishly, you may end up with an even weaker encryption scheme than 112 bits. But the smart guys proved that you can key with 112 bits and still require 2^112 operations to crack it)
-kb, the Kent who encoded this message in rot-13, and, for *extra* security, encoded it the same way a second time.
Showing that if you do crypto foolishly, you can cause get a false
sense of security. If rot13 had a 1-bit key, and so doing it twice has
a two-bit key. Suppose that 1bit key would be enough for my purposes.
Then having a two-bit key would be security for the future! Right?
No! If my application requires 130 bit security, and 3DES advertizes
168 bits of security, then things go wrong. The good guys believe the
ads. The bad guys know better: 3DES only offers 112 bits of security.
This is BAD!
Roger.
--
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* There are old pilots, and there are bold pilots.
* There are also old, bald pilots.
Current thread:
- Nortel CES (3DES version) offers false sense of security when usi ng IPSEC spitko (Feb 26)
- Re: Nortel CES (3DES version) offers false sense of security when usi ng IPSEC Tina Bird (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of security when usi ng IPSEC Rogier Wolff (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of security when usi ng IPSEC Dan Kaminsky (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC MCKILLICAN, DONALD (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC MCKILLICAN, DONALD (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Rogier Wolff (Feb 27)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Valdis Kletnieks (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Valdis Kletnieks (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Kent Borg (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Rogier Wolff (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Jack Lloyd (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Luciano Miguel Ferreira Rocha (Feb 28)
- Re: Nortel CES (3DES version) offers false sense ofsecuritywhen usi ng IPSEC MCKILLICAN, DONALD (Feb 28)