RE: 168 vs 192 bit using 3DES from Hallam-Baker, Phillip on 2001-10-31 (xml-encryption@w3.org from October 2001)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Wed, 31 Oct 2001 08:53:25 -0800
To: "'Christian Geuer-Pollmann'" <geuer-pollmann@nue.et-inf.uni-siegen.de>, XML Encryption WG <xml-encryption@w3.org>
Cc: Joseph Reagle <reagle@w3.org>
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F405869857@vhqpostal.verisign.com>

Sounds fair enough, only the effective strength of a 3DES key against a
known ciphertext/plaintext pair attack is only 112 bits. We should not
mislead readers into thinking that 128 bit AES is less secure than 3DES.

It is important to get this right, we had a lot of problems with PKCS#12
non-interoperability because of a similar problem - two widely used
applications would interoperate exactly 50% of the time.

		Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Christian Geuer-Pollmann
> [mailto:geuer-pollmann@nue.et-inf.uni-siegen.de]
> Sent: Tuesday, October 30, 2001 3:35 PM
> To: XML Encryption WG
> Cc: Joseph Reagle
> Subject: 168 vs 192 bit using 3DES
> 
> 
> Hi,
> 
> A TripleDES-Key in the mode with three independant DES-keys has a 
> cryptographic strength of 168 bit while the key material 
> including the 
> parity bits is 192 bit.
> 
> My question is: what do we transfer between entities? In 
> Section "5.4.1 RSA 
> Version 1.5", there is a statement:
> 
>    "The key is 168 bits for TRIPLEDES and
>     128, 192, or 256 bits for AES."
> 
> Additionally, in section "5.6.2 CMS Triple DES Key Wrap" is 
> the statement
> 
>    "XML Encryption implementations MUST
>     support TRIPLEDES wrapping of
>     168 bit keys."
> 
> But do we really transfer 168 bit and have to add parity bits after 
> transfer? Most cryptographic software packages export and 
> import 192 bit 
> 3DES-keys instead of 168 bit. If we look at [CMS-Wrap] which 
> was the base 
> for the processing in section "5.6.2 CMS Triple DES Key 
> Wrap", Russell 
> Housley always works with 192 bit for a 3DES-key. This key 
> length is also 
> used in the example test vectors.
> 
> So my vote is to change the occurences of "168 bit keys" to 
> to "192 bit 
> keys". Additionally, we should add a statement that a 192 bit 
> 3DES-key has 
> only an effective key length (strength) of 168 bit.
> 
> 
> Best regards,
> Christian
> 
> [CMS-Wrap] 
> http://www.ietf.org/internet-drafts/draft-ietf-smime-key-wrap-01.txt
> 
>

Attachments

application/octet-stream attachment: Phillip_Hallam-Baker__E-mail_.vcf

Received on Wednesday, 31 October 2001 11:53:22 UTC