ietf-openpgp
[Top] [All Lists]

Re: Symmetric Algorithm

1997-10-30 06:58:24
[3DES]
Yeah, it wins.  Dog-slow, but everybody's comfortable with it.
What about the 2-Key 3DES vs. 3-Key 3DES problem?
       
Just do what X9.52 does, always use 3 keys but allow the first key to be 
repeated for the third key if you want 2-key triple DES.
 
(There's also the minor annoyance that 3-Key 3DES needs
168 bits of key, and SHA-1 only gives you 160, 
and if the standard was going to insist on something that
required 168 real bits I'd recommend changing it...)
 
There are a number of algorithms for hashing/distilling passphrases, but many 
of them are either awful and/or don't provide more bits than the output of the 
hash function which is used (which is exactly the problem mentioned above).  
The PKCS #5 method is very limited, the PFX method is awful, HMAC's are 
limited to the hash function output size and also handle passphrases longer 
than 64 bytes in a somewhat kludgy manner, I don't really like the SSLv3 
version (it iterates over the same data and only changes a few input bits for 
each block of output), and the TLS function again has a fixed output size 
based on the underlying hash functions.
 
The one I've been using is the one I posted to sci.crypt about a year ago,
which is:
 
/* Derive an encryption key from a variable-length user key.  This function
   works as follows:
 
   key[] = { 0 };
   state = hash( algorithm, mode, parameters, userKey );
 
   for count = 1 to iterations
     for length = 1 to keyLength
       state = hash( state );
       key[ length ] = hash( state, userKey );
 
   The state acts as an RNG which ensures that the user key hashing is
   serialized (ie that any form of parallelization or precomputation isn't
   possible) */
 
This can produce output of arbitrary size (eg 448 bit Blowfish keys), and also 
addresses various other problems I've seen in existing functions, for example 
if you start with the same parameters and use the resulting hash to key (say) 
DES and IDEA, then anyone who can recover a DES key can also recover 56 bits 
of your IDEA key.  By including the algorithm and parameters into the initial 
state calculation, a DES key derived from a given set of parameters will be 
completely different to an IDEA key coming from the same parameters.
 
Peter.


<Prev in Thread] Current Thread [Next in Thread>