[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    On the selection of ciphers blindly based on bit strength
From:       George Staikos <staikos () 0wned ! org>
Date:       2001-02-28 6:19:03
[Download RAW message or body]


  Here is a very well written description of why I don't like reordering 
ciphers based on bit strength.  It's just not a good procedure.  I'm going to 
investigate the individual ciphers and make our own preference list for the 
next release.

----------  Forwarded Message  ----------
Subject: Re: Nortel CES (3DES version) offers false sense of security when 
usi ng IPSEC
Date: Tue, 27 Feb 2001 22:00:23 -0800
From: Dan Kaminsky <dankamin@CISCO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM


> I don't know where people get their information, but tripple-DES uses
> a 112 bit key. How they can advertize 128, or even 168 bits of keys I
> don't know.

3DES uses a 168 bit key.  Not 128, not 112, not anything else.

The problem is that, in crypto, not all bits are created equal--note the
mass confusion over the asymmetric keyspaces--"Wait, 512 bits are *less*
than 128 bits?"

Essentially, 3DES is referred to as 128 bits because it posesses equivalent
strength to more modern ciphers that have a 128 bit keyspace.  The meet in
the middle attack reduces the complexity to 2^112, but the assurance over
time(as the most widely attacked cryptographic algorithm in existence)
raises the quality to an "equivalent" 128 bit.

It's ugly, and blame the marketers for it--but on the flip side, it's better
than hearing about how 168 bit 3DES is actually only two thirds its apparent
strength, which numerically makes it less trustworthy than (say) 128 bit
RC4.  In the great pantheon of marketing hacks, calling 3DES 128 bit
absolutely *pales* in comparison.

Yours Truly,

    Dan Kaminsky, CISSP
    Cisco Systems, Inc.
    http://www.doxpara.com

-------------------------------------------------------

-- 

George Staikos

[prev in list] [next in list] [prev in thread] [next in thread]