Bugtraq mailing list archives
Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC
From: Rogier Wolff <R.E.Wolff () BITWIZARD NL>
Date: Wed, 28 Feb 2001 10:37:46 +0100
Andrew Thomas wrote: [Charset iso-8859-1 unsupported, filtering to ASCII...]
-----Original Message----- From: Rogier Wolff [mailto:R.E.Wolff () BITWIZARD NL] Sent: Wednesday, February 28, 2001 12:38 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSECStill, I remember that using triple-DES with three keys only had a complexity on the order of 2^112. No matter what you tried.
Due to the meet-in-the-middle attack on 3DES, the keyspace for a brute-force attack was reduced to 2^112. However, there was an additional space-complexity of 2^56 (+-half an exabyte), which adds an additional constraint.
OK. Good. But I remember there being a trick that would allow you to say reduce the "space-complexity" by a factor of 1000, in exchange for a computational expansion of 1000 in such a case.
It is arguable that if 2^112 bit time is within reach, then 2^56 storage should not be an issue.Sure you can design super-duper-crypto scheme that uses a gigantic key, but as long as the resulting crypto only has 2^56 complexity to break, it doesn't have any real advantages over, say, DES.
3DES in various forms does not have this property - as explained above, and is a definite improvement over DES.
This was NOT saying that 3DES isn't better than DES. I'm trying to get across that putting in keybits doesn't always improve the crytanalisys effort. So everybody is telling me that 3DES can be keyed with 56, 112, or 168 bits. Fine. Agreed. But also several people have replied that my original statment that "even when keyed with 168 bits, the complexity of breaking it is not more than on the order of 2^112" holds.
However, given the state of technology, the major risks about 3DES should come from cryptanalytic attacks, rather than brute-force. There may be interactions that arise when repeating the DES operations that somehow weaken the strength of the resulting encryption.
Suppose that I am designing a protocol, that needs to be secure for the coming 20 years. Computational power expands by 10 bits every 10 years. However, to be safe I should count on 20 bits for every 10 years. Three years ago (3 bits), DES was cracked in under an hour. I want to be safe against an attack that takes a month (9 bits), and uses a 100 times (7 bits) more expensive computer. So, above the 56 bits that were cracked, to be safe 20 years from now I need 2*20 + 3+9+7 = 59 bits. So, I need 56+59 = 115 bits of security to approve an algorithm for my protocol. If 3DES is advertized as having 168 bit security, I'd happily go for 3DES: 53 bits to spare! However, since 3DES only has 112 bit strength (even when keyed with 168 bits), this decision is wrong! This is why it is important that if 3DES has 112 bit security, it is advertized as such, even when now 112 bits is just as impractical for us as 168 bits. Roger. -- ** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 ** *-- BitWizard writes Linux device drivers for any device you may have! --* * There are old pilots, and there are bold pilots. * There are also old, bald pilots.
Current thread:
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Rogier Wolff (Feb 28)
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC Casper Dik (Feb 28)