Re: Nortel CES (3DES version) offers false sense of securitywhen usi ng IPSEC

[Rogier Wolff <R.E.Wolff () BITWIZARD NL>]

Andrew Thomas wrote:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> > -----Original Message-----
> > From: Rogier Wolff [mailto:R.E.Wolff () BITWIZARD NL]
> > Sent: Wednesday, February 28, 2001 12:38 AM
> > To: BUGTRAQ () SECURITYFOCUS COM
> > Subject: Re: Nortel CES (3DES version) offers false sense of
> > securitywhen usi ng IPSEC
>
> > Still, I remember that using triple-DES with three keys only had a
> > complexity on the order of 2^112. No matter what you tried.

> Due to the meet-in-the-middle attack on 3DES, the keyspace for a
> brute-force attack was reduced to 2^112. However, there was an
> additional space-complexity of 2^56 (+-half an exabyte), which
> adds an additional constraint.

OK. Good. But I remember there being a trick that would allow you to
say reduce the "space-complexity" by a factor of 1000, in exchange for
a computational expansion of 1000 in such a case.

> It is arguable that if 2^112 bit time is within reach, then
> 2^56 storage should not be an issue.
>
> > Sure you can design super-duper-crypto scheme that uses a gigantic
> > key, but as long as the resulting crypto only has 2^56 complexity to
> > break, it doesn't have any real advantages over, say, DES.

> 3DES in various forms does not have this property - as explained
> above, and is a definite improvement over DES.

This was NOT saying that 3DES isn't better than DES. I'm trying to get
across that putting in keybits doesn't always improve the crytanalisys
effort. So everybody is telling me that 3DES can be keyed with 56,
112, or 168 bits. Fine. Agreed. But also several people have replied
that my original statment that "even when keyed with 168 bits, the
complexity of breaking it is not more than on the order of 2^112"
holds.

> However, given the state of technology, the major risks about 3DES
> should come from cryptanalytic attacks, rather than brute-force.
> There may be interactions that arise when repeating the DES operations
> that somehow weaken the strength of the resulting encryption.

Suppose that I am designing a protocol, that needs to be secure for
the coming 20 years. Computational power expands by 10 bits every 10
years. However, to be safe I should count on 20 bits for every 10
years.

Three years ago (3 bits), DES was cracked in under an hour. I want to
be safe against an attack that takes a month (9 bits), and uses a 100
times (7 bits) more expensive computer.

So, above the 56 bits that were cracked, to be safe 20 years from now
I need 2*20 + 3+9+7 = 59 bits.

So, I need 56+59 = 115 bits of security to approve an algorithm for my
protocol. If 3DES is advertized as having 168 bit security, I'd
happily go for 3DES: 53 bits to spare! However, since 3DES only has
112 bit strength (even when keyed with 168 bits), this decision is
wrong!

This is why it is important that if 3DES has 112 bit security, it is
advertized as such, even when now 112 bits is just as impractical for
us as 168 bits.

                        Roger.

--
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* There are old pilots, and there are bold pilots.
* There are also old, bald pilots.