Jim Gillogly (jim@acm.org)
Tue, 21 Jul 1998 17:42:42 -0700
Kriston J. Rehberg writes:
>Remember, 3DES not necessarily DES taken three times; I believe the most
>secure (and most popular) form takes the output of DES decrypted with
>another key on the second pass and then encrypted again with DES with a
>third key on the third pass.
That's the most popular form of 3DES, but it's a compatibility issue
rather than a security issue: if you run it with all three keys the
same you get DES, so you can test your implementation against a real
DES or interoperate with somebody who doesn't have 3DES. Encrypting
for all three passes would be no less secure, so far as we know.
> It's fascinating and super-clever (and
>some say "unbreakable") but it's, of course, very slow.
Some say unbreakable? That's a new one on me.
>Whether this can be a factor of three is best left to someone else; but
>it's not just DES on top of DES and it's up to someone else to decide
>whether more than three iterations gives you more security.
It can be just DES on top of DES on top of DES. While we're on the
subject, 2DES isn't any worse than DES, despite what some have been
saying about it... it's just not an efficient use of keying material
against some attacks, since you get only about a bit more of strength.
3DES is strong enough from a keylength standpoint -- it shifts the weak
link to the 64-bit blocksize. Above 90 bits or so of strength it all
looks the same up there, assuming exhaustive key search is the most
efficient attack.
-- Jim Gillogly 29 Afterlithe S.R. 1998, 00:38 12.19.5.6.11, 13 Chuen 4 Xul, Fifth Lord of Night
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:47 ADT