From: Dr Stephen Henson
Sent: Saturday, October 03, 1998 6:35 AM
Subject: Re: RC2 Keylength Strawpoll
There was never any mention of why the key wrapping standard or CMS
couldn't be changed to allow the MEK length to be determined
and thus enable current RSA implementations to be unchanged
in mixed RSA
and DH environments. As I recall one parameter in CMS or the
of key wrap to use standard block padding would allow this.
Did you see
this discussion Russ?
Yes, I would like some clarification on this also -- I was ignorant and
did not understand that the protected MEK length could not be determined
after removing the DH protection. As Dr. H points out, it would
certainly be nice to be able to recycle some code and to use whatever
padding method is necessary to be able to accurately know the
unprotected data length (provided that there are no cryptographic
weaknesses introduced by doing so).
This will also simplify the backwards compatibility, since there won't
be any "oh, if you're using RSA you have to be prepared for x and y, but
if you're using DH you have to be prepared for z after you unprotect the
MEK for RC2". To the extent that we can make DH behave like RSA (once
again, as long as there are no cryptographic, patent, etc. problems), I
think we should do it. I suspect that this was discussed at some point
in X9, but I don't have a card to get into that club...
From my understanding, the padding would be a sequential operation with
the DH protection / unprotection, so I don't think this should affect
other X9 implementations when they come to exist. Then again, I might
Blake C. Ramsdell
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103 Fax +1 425 882 8060