Russ, Eric,
[snip...]
This is incorrect. By fiat, when used for key encryption, RC2 ALWAYS
uses a 128 bit key. The 40 bits refers only to the effective key length.
It may be possible to go from the 40 bit key to having some information
about the 128 bit key, but it's certainly not as simple as simply
knowing the first 40 bits.
You are correct. We did deal with this case. However, I think is is a good
idea to use the algorithm in such a way that future users of CMS cannot
make a simple mistake and be susceptable to the partion attack.
And, the fix is
very simple. We need to simply include the key length in the hash input.
I'm prepared to do it, but I'm not sure that just shoving it in the
pubInfo is the right choice. I'll think about this and try to write
up a proposal by monday.
If you are going to the RSA Confernce, I will gladly have a hallway chat
regarding the best way forward.
How did the chat end up? I notice that x942-05 ended up "shoving it in
the pubInfo"; but I also notice that it still specifies that the keylength
is 128 bits for RC2, regardless of what the effective keylength is chosen
to be. This means that regardless of the effective keylength, we produce
the same material for input to the RC2 key expansion function. Have we
decided that this isn't a weakness? Or should we be using different
material to produce keys with different effective lengths?
Cheers,
William