The War is Underway (fwd)

[Mark M.]

-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 10 May 1997, Black Unicorn wrote:

> The amount of confusion over what represents a good algorithm is also
> interesting.  Take CAST, which seems a promising cipher and which we
> considered using over IDEA.
> 
> On asking 4 "experts" about CAST, I got 4 answers.
> 
> 1>  A 64 bit cipher with 40 bits secret.
> 2>  A 64 bit cipher - not expected to be very complete.
> 3>  A 128 bit cipher.
> 4>  "Not worth discussing."
> 
> In fact, as I understand it, CAST is of variable key length (Up to 128
> bits), and quite resistant to many attacks which plague DES and even IDEA.
> 
> But digging out that information was painfully difficult.  (It may not
> even be correct).

According to _Applied Cryptography_, CAST is a Feistel cipher with a 64-bit
block length and 64-bit key length.  So far, brute force is the only known
attack.

As far as "obscenely large" key lengths are concerned, 3-key triple DES
uses a 168-bit key.  This is used in many crypto packages, including
export-controlled Netscape, and is being considered as a replacement for
DES in the U.S.  Triple DES will probably also be supported in the next
version of PGP.  Blowfish supports keys as long as 448 bits and RC4
supports keys up to 2048 bits.  The problem with variable length ciphers
is that programs that use them to not actually take advantage of variable
keys and just stick to using keys of a fixed, and small, size.

Using large key sizes for passphrase-based systems is difficult, because
it's just too difficult to remember a passphrase with enough entropy to
make a difference.  Assuming a random passphrase with 6 bits of entropy
per character, over 21 characters would have to be used for there to be
128 bits of entropy.  Systems that use randomly generated keys are
limited only by the amount of available entropy, but then the passphrase
security to encrypt the secret key or physical security become important.
Using excessively long keys does not do much for security, as there are
always going to be weaker links that an attacker can take advantage of.
It doesn't hurt to use a 256-bit key, or larger, but it doesn't do much
good, either.



Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBM3UK/yzIPc7jvyFpAQEhIwf+NYr0gHWWd2r056+MCZp/v5Y5KmpdxSz8
mXOM+GOm4bxk5OufCcw7FWKoJYNxklII3yDl1s9+xd5iegwX7T+rRWo1qc1/MAOJ
JJdMxy87T6qHgO28GUa6eNe/3g9d76z4U3E95u4mNMVs4mEQcD16lgXpfZPDZO0z
c7SxEfAK2rCxZeakZ0c/QEgraWIYLjpyl0EsHNVw+PszlGtrQKEFSJNSGI9dhKkc
WT6oHiisE1F+GNLn7PyBzby8HxEW9zwWSU3coa75yqwHfNNVCkb/s2Yh3cyw5LhP
mrMlQcVBH6A4J5iJQJcEfoKN9p+rZA/Rl5FjApWFG3cVMxq0ZXGjZg==
=eI9X
-----END PGP SIGNATURE-----