[Fwd: Cylink can export 128-bit DH?]
Raph Levien
raph at cs.berkeley.edu
Thu May 2 03:02:24 PDT 1996
Mike Duvos wrote:
>
> frantz at netcom.com (Bill Frantz) writes:
>
> > Most cryptographic experts recommend Triple DES, encrypting
> > the data 3 times with 3 different keys.
>
> It's actually encrypted three times with two keys comprising
> 112 bits of keyspace, using a decrypt on one key sandwiched
> between two encrypts using the other. This prevents a "man
> in the middle" attack, which would be possible if only two
> DES encryptions were used, one for each key.
Not quite.
Double DES is subject to a "meet in the middle" attack (not a "man in
the middle"). Here's how it works:
Let's say you've got unlimited storage, and you're doing a known
plaintext attack, so you've got both the ciphertext and the plaintext in
your hand. Then, just do all 2^56 decryptions of the ciphertext, and all
2^56 encryptions of the plaintext. Then, compare the two lists to see if
you've got a match. Since it's DES, you can save a factor of two in both
time and space, because it's got the complementation property.
Assuming unlimited storage, three keys (168 bits) are equivalent to
two. However, since 2^55 is a lot of disk space, in practice a real
attacker will trade off space for time (it can be done). Thus, using
three keys is more work for the attacker than using two. So, modern
cryptographic usage is exactly as Bill said - three keys, three
encryptions. For example, S/MIME recommends the use of DES-EDE3-CBC (the
middle encryption is technically a decryption, although it doesn't
really make any difference).
Glad I could be of service.
Raph
More information about the cypherpunks-legacy
mailing list