Re: [Fwd: Cylink can export 128-bit DH?]
At 12:22 AM 5/2/96 +0700, peng-chiew low wrote:
Daniel R. Oelke wrote:
There are provisions for exporting DES for banking purposes. Generally it is a hardware card that "can't" be reused outside of the banking transfer machine.
So far, I've seen DES software from a couple of U.S. companies. The question is "Is it the U.S. domestic DES or "export flavored" DES? As for the hardware, would'nt it be inconsistant if the DES supplied is the Domestic DES?
As far as I know, DES is DES, domestic or export. If your DES interoperates with domestic DES (or popular implementations available on non-US servers), then you have DES.
I know DES as a subject here is one big YAWN, but for guys like us in the Asia, it's not. Why? 'Cause the US crypto companies here in Asia keep telling us about how good and wonderful and secure DES is, and that it is THE standard used by the American Banking Association.
It is THE standard. The political reasons are complex, but the bottom line is that large governments and other large organizations can brute force 56 bit keys. As far as the US government and the US banking system are concerned, this ability does not reduce bank transaction security since the US government can get the details directly from the bank by legal process. Most cryptographic experts recommend Triple DES, encrypting the data 3 times with 3 different keys. If the middle encryption runs DES in decrypt mode, the system can be made compatible with single DES by using the same key 3 times. The US government has never, to my knowledge, licensed the export of a Triple DES system. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA
frantz@netcom.com (Bill Frantz) writes:
Most cryptographic experts recommend Triple DES, encrypting the data 3 times with 3 different keys.
It's actually encrypted three times with two keys comprising 112 bits of keyspace, using a decrypt on one key sandwiched between two encrypts using the other. This prevents a "man in the middle" attack, which would be possible if only two DES encryptions were used, one for each key. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
Mike Duvos writes:
frantz@netcom.com (Bill Frantz) writes:
Most cryptographic experts recommend Triple DES, encrypting the data 3 times with 3 different keys.
It's actually encrypted three times with two keys comprising 112 bits of keyspace, using a decrypt on one key sandwiched between two encrypts using the other. This prevents a "man in the middle" attack, which would be possible if only two DES encryptions were used, one for each key.
Many 3DES implementations actually do use 3 different keys. Surprisingly, the strength of 3DES with 3 keys is around the strength you would naively expect 3DES with 2 keys to have, and 3DES with 2 keys is slightly weaker than you would expect... .pm
Mike Duvos wrote:
frantz@netcom.com (Bill Frantz) writes:
Most cryptographic experts recommend Triple DES, encrypting the data 3 times with 3 different keys.
It's actually encrypted three times with two keys comprising 112 bits of keyspace, using a decrypt on one key sandwiched between two encrypts using the other. This prevents a "man in the middle" attack, which would be possible if only two DES encryptions were used, one for each key.
Not quite. Double DES is subject to a "meet in the middle" attack (not a "man in the middle"). Here's how it works: Let's say you've got unlimited storage, and you're doing a known plaintext attack, so you've got both the ciphertext and the plaintext in your hand. Then, just do all 2^56 decryptions of the ciphertext, and all 2^56 encryptions of the plaintext. Then, compare the two lists to see if you've got a match. Since it's DES, you can save a factor of two in both time and space, because it's got the complementation property. Assuming unlimited storage, three keys (168 bits) are equivalent to two. However, since 2^55 is a lot of disk space, in practice a real attacker will trade off space for time (it can be done). Thus, using three keys is more work for the attacker than using two. So, modern cryptographic usage is exactly as Bill said - three keys, three encryptions. For example, S/MIME recommends the use of DES-EDE3-CBC (the middle encryption is technically a decryption, although it doesn't really make any difference). Glad I could be of service. Raph
Raph Levien writes:
Double DES is subject to a "meet in the middle" attack (not a "man in the middle").
Yes, a silly mistake on my part, which shows I should proofread even the little messages before posting them. :) Gleeful readers are filling my mailbox hoping to be the first to point out this unfortunate error.
Thus, using three keys is more work for the attacker than using two. So, modern cryptographic usage is exactly as Bill said - three keys, three encryptions. For example, S/MIME recommends the use of DES-EDE3-CBC (the middle encryption is technically a decryption, although it doesn't really make any difference).
S/MIME aside, I was under the impression that the term "Triple-DES" referred to the encrypt-decrypt-encrypt operation using two distinct keys, proposed by some for adoption as the successor to single DES. Has this usage now changed in favor of the three key version? -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
Has this usage now changed in favor of the three key version?
I cannot speak for the general case, but in SSL 3, the 3DES_EDE_CBC cipher uses three keys. PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://home.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin
-----BEGIN PGP SIGNED MESSAGE----- In article <199605011919.MAA27020@netcom8.netcom.com>, Bill Frantz <frantz@netcom.com> wrote:
At 12:22 AM 5/2/96 +0700, peng-chiew low wrote:
Daniel R. Oelke wrote:
There are provisions for exporting DES for banking purposes. Generally it is a hardware card that "can't" be reused outside of the banking transfer machine.
So far, I've seen DES software from a couple of U.S. companies. The question is "Is it the U.S. domestic DES or "export flavored" DES? As for the hardware, would'nt it be inconsistant if the DES supplied is the Domestic DES?
As far as I know, DES is DES, domestic or export. If your DES interoperates with domestic DES (or popular implementations available on non-US servers), then you have DES.
Not quite. CDMF key shortening was designed by IBM to shrink a 56-bit DES key to 40 bits, suitable for export. See AC2, page 366. I heard a rumour that CDMF is in SET, but I'm not sure how much that makes sense. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMYj2w0ZRiTErSPb1AQFuSgP9EhcSgF/DVC1BFd8DPPUeD6C27HyR+Wqj YgXXhemNgni3WGi0v7jDnhqiId0YcRpzVnlywkKvd2O6dLZVMEavL+7qytTRlo/E iu5twOAc39JXkSj9pjpyvzChaiooujHyHKCqnCNG37Ggm4jTdHY+y59zmxy8wNka iiXVOurajKE= =1DPi -----END PGP SIGNATURE-----
participants (6)
-
frantz@netcom.com -
iang@cs.berkeley.edu -
mpd@netcom.com -
Perry E. Metzger -
Phil Karlton -
Raph Levien