-----BEGIN PGP SIGNED MESSAGE----- On Sat, 10 May 1997, Black Unicorn wrote:
The amount of confusion over what represents a good algorithm is also interesting. Take CAST, which seems a promising cipher and which we considered using over IDEA.
On asking 4 "experts" about CAST, I got 4 answers.
1> A 64 bit cipher with 40 bits secret. 2> A 64 bit cipher - not expected to be very complete. 3> A 128 bit cipher. 4> "Not worth discussing."
In fact, as I understand it, CAST is of variable key length (Up to 128 bits), and quite resistant to many attacks which plague DES and even IDEA.
But digging out that information was painfully difficult. (It may not even be correct).
According to _Applied Cryptography_, CAST is a Feistel cipher with a 64-bit block length and 64-bit key length. So far, brute force is the only known attack. As far as "obscenely large" key lengths are concerned, 3-key triple DES uses a 168-bit key. This is used in many crypto packages, including export-controlled Netscape, and is being considered as a replacement for DES in the U.S. Triple DES will probably also be supported in the next version of PGP. Blowfish supports keys as long as 448 bits and RC4 supports keys up to 2048 bits. The problem with variable length ciphers is that programs that use them to not actually take advantage of variable keys and just stick to using keys of a fixed, and small, size. Using large key sizes for passphrase-based systems is difficult, because it's just too difficult to remember a passphrase with enough entropy to make a difference. Assuming a random passphrase with 6 bits of entropy per character, over 21 characters would have to be used for there to be 128 bits of entropy. Systems that use randomly generated keys are limited only by the amount of available entropy, but then the passphrase security to encrypt the secret key or physical security become important. Using excessively long keys does not do much for security, as there are always going to be weaker links that an attacker can take advantage of. It doesn't hurt to use a 256-bit key, or larger, but it doesn't do much good, either. Mark -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQEVAwUBM3UK/yzIPc7jvyFpAQEhIwf+NYr0gHWWd2r056+MCZp/v5Y5KmpdxSz8 mXOM+GOm4bxk5OufCcw7FWKoJYNxklII3yDl1s9+xd5iegwX7T+rRWo1qc1/MAOJ JJdMxy87T6qHgO28GUa6eNe/3g9d76z4U3E95u4mNMVs4mEQcD16lgXpfZPDZO0z c7SxEfAK2rCxZeakZ0c/QEgraWIYLjpyl0EsHNVw+PszlGtrQKEFSJNSGI9dhKkc WT6oHiisE1F+GNLn7PyBzby8HxEW9zwWSU3coa75yqwHfNNVCkb/s2Yh3cyw5LhP mrMlQcVBH6A4J5iJQJcEfoKN9p+rZA/Rl5FjApWFG3cVMxq0ZXGjZg== =eI9X -----END PGP SIGNATURE-----