ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RC2 keylength strawpoll

1998-09-01 13:09:36
from [Blake Ramsdell] [Permanent Link] 
-----Original Message-----
From: Rescorla [mailto:ekr(_at_)terisa(_dot_)com]
Sent: Monday, August 31, 1998 3:36 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: RC2 keylength strawpoll

Don't bother with a message body, I am just going to count the 
messages.  Discussion of the content of this message should reply to 
this message. 


I'm trying to figure out what we are solving and the path that we are
pursuing to solve it.

1. RC2 is currently used as a message encryption algorithm.  This does
not have any problems that I am aware of.

2. The X9.42 variant of DH that is proposed for use for key exchange
requires the use of an additional symmetric cipher for the protection of
the message encryption key.  RC2 has been proposed for this purpose as
one alternative.  Because RC2 has a disconnect between the length of the
input keying material and the effective key length, and because the
proposed DH method is using a hash-based PRNG to generate keying
material, the length of the input keying material must be specified or
at least agreed upon.  There are exactly zero implementations that
currently use DH and RC2 right now, so backwards compatibility is not an
issue.

Current S/MIME practice for RC2 does not limit the length of the input
keying material for use with RC2.  For better or worse.  At the very
least, vendors using the RSA TIPEM library will produce input keying
material of a length greater than the effective keylength being used
with RC2.  This has been demonstrated to be interoperable (every vendor
that has tested RC2 can handle lots of keying material being boiled down
to 40 bits of effective keying material).

I don't believe that the current discussion should apply to the current
use of RC2 as a message encryption algorithm -- I don't think there is a
problem here.  Changing this for the sake of being in parallel with RC2
when used as a KEK with DH is interesting, but unnecessary.  I don't
believe that there is any complexity for implementors.

Based on the underwhelming poll results (two responses), I'd say pick an
answer and write it up for the DH using RC2 as a KEK, and leave existing
RC2 MEKs alone.  This is, of course, unless I'm missing something
significant about RC2's use as a MEK within the DH realm.

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RC2 Keylength Strawpoll, Dr Stephen Henson
Next by Date:  Re: RC2 Keylength Strawpoll, Bob Relyea
Previous by Thread:  Re: RC2 Keylength Strawpoll, Bob Relyea
Next by Thread:  Re: RC2 keylength strawpoll, Dr Stephen Henson
Indexes:  [Date] [Thread] [Top] [All Lists]