Emphasizing a point by Donald Eastlake re key recovery

[Peter Trei]

> Date:          Wed, 24 Sep 1997 10:15:45 -0400
> To:            Ross Anderson <Ross.Anderson at cl.cam.ac.uk>
> From:          Carl Ellison <cme at cybercash.com>
> Subject:       Re: Emphasizing a point by Donald Eastlake re key recovery 
> Cc:            cypherpunks at toad.com, Ron Rivest <rivest-only at theory.lcs.mit.edu>,
>                cme at cybercash.com
> Reply-to:      Carl Ellison <cme at cybercash.com>

> -----BEGIN PGP SIGNED MESSAGE-----
> 
> At 09:34 AM 9/23/97 +0100, Ross Anderson wrote:
> >There is also the point that the vast majority of encryption keys are
> >actually used for authentication rather than confidentiality. The keys
> >that encrypt your bank card PIN en route from the ATM to the bank, the
> >keys in your satellite TV decoder, the keys in your gas meter and your
> >postal meter - in fact the majority of all DES keys in use - are about
> >authentication. In theory most of them could be replaced by digital 
> >signature mechanisms but given the size of the installed base, it 
> >won't happen anytime soon.
> 
> For what it's worth, I once got an opinion from NSA's export control office 
> that I could use any kind of crypto I wanted (e.g., even triple-DES) if all 
> I'm doing is protecting a channel carrying a password (like the PIN), 
> because that's an authentication function and therefore to be encouraged.  I 
> didn't get this in writing, however, so I'd have to go for it again.
> 
>  - Carl

Well, I dunno. About 18 months ago, I was involved with the 
negotiations over the exportability of an SSL equipped web
server I had helped develop. The export model used 40 bit RC4
and 512 bit keys. The initial version used 3DES to encrypt 
stored private keys, and this was turned down. I modified it to
use single DES, and it passed.

Note that this was for secret key storage only.

Peter Trei
trei at Process.com