On 26 Mar 2006, at 3:12 AM, Ben Laurie wrote:
Jon Callas wrote:
I think we ought to keep it with the same algorithm number.
I'm happy to put in SHA-224 (meaning it's trivial work), but I don't
like it, myself. The reason is that SHA-224 is really a truncated
SHA-256. Thus, it has no advantages over SHA-256 except being
smaller by
32-bits with 112 bits of security. The reason it exists at all is for
crypto-balance with 2-key 3DES (which is not TDEA), which we don't
allow
at all.
<pedantic>
3-key DES also has a strength of 112 bits.
</pedantic>
There are certainly good arguments for that, but if 3-key 3DES is no
stronger than 2-key, then there shouldn't be any harm in dropping the
third key. Right? If you don't like this idea (that 2-key and 3-key
are equivalent), which I don't, then 3-key must be some stronger. It
just isn't easy to know how much more.
I wrote a long thing on this a couple years ago at:
<http://searchsecurity.techtarget.com/tip/
1,289483,sid14_gci968714,00.html?track=NL-102&ad=486202>
Jon