Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC

[der Mouse <mouse () RODENTS MONTREAL QC CA>]

> > Why is DES keyed with 56 bits, and not 64?  Nobody seemed to know
> > until a few years ago someone showed that keyed with 56 or 64 bits,
> > cryptanalysis of DES requires 2^56 operations.

> Actually, DES only uses 56 bits of the key, the high order bits of
> each byte aren't used anywhere in the algorithm,

In all the cases I've seen where these are passed as eight bytes of
which only seven bits each are used, it's the *low* bit of each byte
that's ignored.  (I agree this borders on insane.  I believe it has
something to do with how DES was originally defined - ie, as a
*hardware* algorithm; those ignored bits are "supposed" to be parity.)

> But you still much suply 8 bytes for the key, not such 7.

This depends on the interface. :-)

For that matter, the actual core of DES actually uses something more
like, if memory serves, 48*16=768 bits of key material (the round
keys).  These are normally derived fairly trivially from the 56 bits
selected by the key permutation from the nominal 64-bit input, but they
don't have to be.

Would it increase security to treat it as having 768 bits of key
material?  Quite likely not much - and much of whatever increase does
obtain would come from the relative unpopularity of the result.  It
certainly would not give it the strength a 768-bit key would naïvely
imply.

> > The same should be done with 3DES: If cryptanalysis can be done in
> > 2^112 operations, it should be keyed with 112 bits, and not with an
> > arbitrarily higher number.
> 3DES requires 3 keys, each of 8 bytes in length, totalizing 192 bits,
> of which only 168 are used (3*56).  And of those, which are the 112
> only used bits?

That is not the way it works.  When triple-DES is keyed with 112 bits,
the 168 bits of key material are generated by reusing 56 of the 112.
(I think it's usually
3DES_enc(data,key1key2) = DES_enc(DES_dec(DES_enc(data,key1),key2),key1)
but I'd have to check that.)

> 3DES is 3 times the use of a old algorithm, it's not that strong, and
> it's terribly slow (in software), so why should anyone use it?

Actually, for a 64-bit block cipher with 56 key bits, it's very strong.
It's just that those sizes are a little too small for today's world.

Why should anyone use it?  Because it's one of the most (publicly)
studied algorithms in existence, and still, there isn't any break known
that's more than small factors better than brute force.  I think the
DES cracker machine that was (publicly) built used brute force and lots
of hardware parallelism.

Of course, if you do use DES, you should use it in a way that's suited
to your application.  In some cases, 56 key bits and 64 data bits may
be plenty.  In others, it may be possible to use it in ways - such as
triple-DES - that alleviate some of its shortcomings without rendering
it useless.

And, of course, in others it's just not usable.  (But in that respect
it's no different from any other cryptosystem.)

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B