wonderer wrote:
One other point... is the decision to encrypt - decrypt -encrypt when applying triple des arbitrary? Why not just encrypt with k1 and then encrypt with k2. Isn't the effect the same?
Encrypting with k1 and then k2 leaves you open to the "meet in the middle" attack. Say I get a copy of the plaintext and ciphertext. I could encrypt the plaintext with 2^56 keys, and decrypt the ciphertext with 2^56 keys. Then by matching results of the above steps, I could figure out k1 and k2. The work for this attack is 2^56 + 2^56 = 2^57, which suggests that double encryption doesn't increase the complexity of breaking your text very much. It only increases it from 2^56 to 2^(56+1). So if you use the same k1 and k2 for all your documents and it is worth my time and money to figure out k1 and k2, favoring double encryption over single encryption doesn't make much sense. Otherwise, there was fear that DES was a group (encrypting with k1 and k2 is equivalent to encrypting once with k3), but I think this got buried (?) recently. Also, with the triple encrypt-decrypt-encrypt, if you pick the same key for each step, it is equivalent to just single encryption. Which may be of importance in compatibility issues, etc. -- Karl L. Barrus: klbarrus@owlnet.rice.edu keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5 3D F3 93 7E 81 B5 CC 32 "One man's mnemonic is another man's cryptography" - my compilers prof discussing file naming in public directories