RE: Section 12, take 2

> -----Original Message-----
> From: Blake Ramsdell [mailto:blake(_dot_)ramsdell(_at_)worldtalk(_dot_)com]
> Sent: Thursday, July 16, 1998 6:00 PM
> To: Jim Schaad (Exchange); 'Paul Hoffman / IMC'; EKR
> Cc: ietf-smime(_at_)imc(_dot_)org
> Subject: RE: Section 12, take 2
>
>
> > -----Original Message-----
> > From: Jim Schaad (Exchange) 
> > [mailto:jimsch(_at_)EXCHANGE(_dot_)MICROSOFT(_dot_)com]
> > Sent: Thursday, July 16, 1998 4:47 PM
> > To: 'Paul Hoffman / IMC'; EKR
> > Cc: ietf-smime(_at_)imc(_dot_)org
> > Subject: RE: Section 12, take 2
> >
> > [jls] There are two schools of thought at this point.  There was a
> > discussion at the time of V2 interop where Blake and Co were 
> > generating
> > 196-bit for RC2 keys (doing a compression step on the key 
> > material up front)
> > and we (Microsoft and Netscape) were generating n-bits of key 
> > material for
> > RC2-n.  I don't know if there ever was a decision as to the 
> reality of
> > having additional key material or not.  In this case my vote 
> > would be to use
> > the first n-bits of the D-H key agreement key to encrypt the 
> > material for
> > all algorithms as it is easier to describe and expand later 
> > if needed that
> > to say generate y-bits of key material, use as many bits as your key
> > encryption algorithm will let you.
> As far as what to do for the DH RC2 usage, I don't have an opinion.
>
> As far as the RC2 usage for a content encryption algorithm (section
> 12.5.3), I believe that it should not be assumed that the input key
> length is the same as the effective key length, and that 
> appropriate key
> expansion will need to be performed (RFC2268 section 2).  There may or
> may not be any sound cryptographic reason for using / not using
> different length keying material than effective key length, 
> and I don't
> claim to have any intelligence in this area.  It's one of those things
> that sounds like a good idea, but I don't know if there is a sound
> cryptographic reason for doing it.  We might put in a disclaimer that
> the RC2Version parameter governs the effective keylength, not 
> the length
> of the keying material itself.
I complete agree that no assumptions should be made for the Content
Encryption routines.  This is needed for backwards compataiblity with
existing code.

> Blake
> --
> Blake C. Ramsdell
> Worldtalk Corporation
> For current info, check http://www.deming.com/users/blaker
> Voice +1 425 882 8861 x103  Fax +1 425 882 8060