NYT-Markoff reports today on Biham and Knudsen's paper
on 3DES weakness, "Cryptanalysis of the ANSI X9.52
CBCM Mode," noted here a few days ago.
This mode of operation is not used in OpenPGP. It was a special mode
created by Don Coppersmith et al to thwart a series of attacks devised
by Eli Biham against 3DES modes which use inner feedback to effectivelly
increase block size. (Inner feedback means that you bring in data from
other blocks between the three DES operations.) In the last few years,
Biham has shown that adding inner feedback is dangerous and often helps
an attacker. Coppersmith came up with a special way of doing it which
was supposed to be immune to Biham's methods, which is the CBCM mode.
Now Biham has shown that this mode, as well, is vulnerable to his attack.
OpenPGP uses only "outer" feedback, in CFB mode. We operate on each block
using three full DES operations, without trying to bring in any extra
feedback between the three DES transformations. The advantage is that
without inner feedback, Biham's attacks don't apply. The disadvantage
is that the block size is then only 64 bits, so if you encrypt a
substantial fraction of 2^64 blocks (2^67 bytes) using a given key,
there is a chance that duplicate blocks will occur by accident, which
will reveal some plaintext. However this is an extremely large amount
of data, and since OpenPGP usually uses randomly generated session keys,
it is not a problem in practice.
Hal Finney