Bugtraq mailing list archives
Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC
From: der Mouse <mouse () RODENTS MONTREAL QC CA>
Date: Wed, 28 Feb 2001 17:26:09 -0500
Why is DES keyed with 56 bits, and not 64? Nobody seemed to know until a few years ago someone showed that keyed with 56 or 64 bits, cryptanalysis of DES requires 2^56 operations.
Actually, DES only uses 56 bits of the key, the high order bits of each byte aren't used anywhere in the algorithm,
In all the cases I've seen where these are passed as eight bytes of which only seven bits each are used, it's the *low* bit of each byte that's ignored. (I agree this borders on insane. I believe it has something to do with how DES was originally defined - ie, as a *hardware* algorithm; those ignored bits are "supposed" to be parity.)
But you still much suply 8 bytes for the key, not such 7.
This depends on the interface. :-) For that matter, the actual core of DES actually uses something more like, if memory serves, 48*16=768 bits of key material (the round keys). These are normally derived fairly trivially from the 56 bits selected by the key permutation from the nominal 64-bit input, but they don't have to be. Would it increase security to treat it as having 768 bits of key material? Quite likely not much - and much of whatever increase does obtain would come from the relative unpopularity of the result. It certainly would not give it the strength a 768-bit key would naïvely imply.
The same should be done with 3DES: If cryptanalysis can be done in 2^112 operations, it should be keyed with 112 bits, and not with an arbitrarily higher number.3DES requires 3 keys, each of 8 bytes in length, totalizing 192 bits, of which only 168 are used (3*56). And of those, which are the 112 only used bits?
That is not the way it works. When triple-DES is keyed with 112 bits, the 168 bits of key material are generated by reusing 56 of the 112. (I think it's usually 3DES_enc(data,key1key2) = DES_enc(DES_dec(DES_enc(data,key1),key2),key1) but I'd have to check that.)
3DES is 3 times the use of a old algorithm, it's not that strong, and it's terribly slow (in software), so why should anyone use it?
Actually, for a 64-bit block cipher with 56 key bits, it's very strong. It's just that those sizes are a little too small for today's world. Why should anyone use it? Because it's one of the most (publicly) studied algorithms in existence, and still, there isn't any break known that's more than small factors better than brute force. I think the DES cracker machine that was (publicly) built used brute force and lots of hardware parallelism. Of course, if you do use DES, you should use it in a way that's suited to your application. In some cases, 56 key bits and 64 data bits may be plenty. In others, it may be possible to use it in ways - such as triple-DES - that alleviate some of its shortcomings without rendering it useless. And, of course, in others it's just not usable. (But in that respect it's no different from any other cryptosystem.) der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC der Mouse (Feb 28)