Jon Callas wrote:
On 26 Mar 2006, at 3:12 AM, Ben Laurie wrote:
Jon Callas wrote:
I think we ought to keep it with the same algorithm number.
I'm happy to put in SHA-224 (meaning it's trivial work), but I don't
like it, myself. The reason is that SHA-224 is really a truncated
SHA-256. Thus, it has no advantages over SHA-256 except being smaller by
32-bits with 112 bits of security. The reason it exists at all is for
crypto-balance with 2-key 3DES (which is not TDEA), which we don't allow
at all.
<pedantic>
3-key DES also has a strength of 112 bits.
</pedantic>
There are certainly good arguments for that, but if 3-key 3DES is no
stronger than 2-key, then there shouldn't be any harm in dropping the
third key. Right? If you don't like this idea (that 2-key and 3-key are
equivalent), which I don't, then 3-key must be some stronger. It just
isn't easy to know how much more.
I'm not going to argue with this, but it clearly ain't much more. You
would be out on a limb to argue that it provided usefully more than 112
bits - though I won't hesitate to agree that 2DES < 3DES.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff