W3C home > Mailing lists > Public > xml-encryption@w3.org > June 2002

Re: W3C Encryption Support for DES, RC2, and RC4 Symmetric Encry ptio n Algorithms

From: Tom Gindin <tgindin@us.ibm.com>
Date: Thu, 20 Jun 2002 07:53:11 -0400
To: "Joseph Ashwood" <ashwood@msn.com>
Cc: <xml-encryption@w3.org>
Message-ID: <OFBB9998BB.83FAF207-ON85256BDE.004080E6@pok.ibm.com>


      Joseph:

      The major reason IMHO why anyone would want to use some of these
algorithms which are 64 bits or less would be that no stronger algorithm is
available in both the encryptor's environment and the decryptor's.  The
legacy that matters in this case consists of legacy crypto libraries since
obviously there's no legacy of XML-encrypted documents.  DES is also faster
than 3DES, of course, but that's not a very strong reason.
      My own point had to do with PBE because of its key exchange and
storage characteristics.  I don't think we should try to add every PBE
variant in PKCS#5 and PKCS#12, let alone all others which have ever been
defined.

            Tom Gindin


"Joseph Ashwood" <ashwood@msn.com>@w3.org on 06/19/2002 08:20:04 PM

Sent by:    xml-encryption-request@w3.org


To:    <xml-encryption@w3.org>
cc:
Subject:    Re: W3C Encryption  Support for DES, RC2, and RC4 Symmetric
       Encry      ptio n Algorithms



RE: W3C Encryption Support for DES, RC2, and RC4 Symmetric Encryptio n
Algorithms----- Original Message -----
From: Ahmed, Zahid

> Hi Don,
> I agree that we should any new encryption URIs in the
> draft-eastlake-xmldsig-uri-02.txt document.
> Specifically, we should seriously consider adding:
> 1) URI for "DES/CBC/XMLENCPadding" i.e, 56-bit DES encryption;
>    e.g., <some-base-URI>/xmlenc#des-cbc

I don't think that DES should even be offered as an endorsed algorithm. If
there was a significant quantity of legacy applications that were already
using DES with XML-encryption, then there would be a solid argument for
keeping it is a future generation of the standard. However, there are no
such applications, this is a version 1 specification and adding algorithms
that are already known to be broken would seem to be a somewhat backwards
step in terms of security. I hold the same opinion about all ciphers that
have a key size under 80 bits (and some that are over).

> Furthermore, it is not clear if RC4 and RC2 URIs
> are standardized for XML encryption enabled applications.

There has actually been quite some discussion regarding stream ciphers and
RC4 in particular. IIRC the primary argument for adding a stream cipher was
to show how one would go about doing it. RC4 was the selected candidate for
this, but because of security issues, it was dropped, primarily because
making it secure requires significant additional overhead above and beyond
that required for block ciphers.

> If not already standardized, I recommend that we
> also add them:
> 2) URI for RC4 56-bit and 128-bit encryption;
>    e.g., <some-base-URI>/xmlenc#rc4-56
>            <some-base-URI>/xmlenc#rc4-128

The biggest question is, how do you add an IV into it? If you do it through
concatenation it is subject to attack, specifically it is attacked like
WEP.
If you perform extra processing to eliminate that attack, there are methods
of distinguishing RC4 from random that are feasible
(http://www.ciphergoth.org/crypto/rc4/). This makes RC4 with any length key
at least questionable in terms of security. It falls into a grey area
because it is desirable to have at least one stream cipher to show how it
could be reasonably added, but it fails in the security requirements.

> 3) URI for RC2 56-bit and 128-bit encryption;
>    e.g., <some-base-URI>/xmlenc#rc2-56
>            <some-base-URI>/xmlenc#rc2-128

What would be the point? The only reason I can see for adding RC2 is that
it
is widely used in S/MIME (although it's rarely if ever used anywhere else),
but it is horribly slow (slower than 3DES), is less examined than 3DES, is
less trusted than 3DES, and is less used than 3DES. I can see no problem
with putting it in an additional source for URIs, since I cannot
immediately
find mention of a successful attack against it, but only for the 128-bit
version. If we're going to start adding every conceivable algorithm to the
URI space for this, there's a sizable list of algorithms of various types
at
http://www.eskimo.com/~weidai/benchmarks.html , most of which are not
supported, and most of which there is little reason to support.
                    Joe
Received on Thursday, 20 June 2002 07:53:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:04 UTC