I originally put this forward as a throw away comment but since Burt
Kaliski seemed to like the idea (it was me that made the initial
suggestion: I think the quoting got messed up somewhere) I'll suggest it
again a bit more formally as a possible alternative.
The idea is very simple. Treat the mailing list key (MLK) exactly as if
it was a S-S DH shared secret ZZ. In particular a salt is mandatory and
the KEK is derived using X9.42.
IMHO this has several things in its favour.
1. Any conformant CMS implementation will already have implemented the
key derivation algorithm and test vectors already exist: which have been
2. The problem of using the same KEK a large number of times is avoided
because the mandatory use of a salt ensures the KEK is different each
time for a given MLK (assuming the salts are different of course).
3. The same MLK can be used with algortihms with different key sizes.
4. If there is a weakness with this algortithm then I would suggest
there must also be a weakness in S-S DH in which case we shouldn't be
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
NOTE NEW (13/12/98) PGP key: via homepage.