Message-Id: <9305211810(_dot_)AA08601(_at_)transfer(_dot_)stratus(_dot_)com>
Subject: Re: Triple DES
Date: Fri, 21 May 93 14:09:54 -0400
From: Steve Kent <kent(_at_)BBN(_dot_)COM>
Steve,
there are two ways to define triple DES in EDE mode. As a thought
experiment, they use three DES chips in sequence.
In the mode you define, the three chips are run in ECB mode and some
logic outside the three chips can be added to provide CBC feedback and
initialization (IV).
In the other mode, the three chips are run in CBC mode, each with its
own IV.
In the second case, you have 3 IVs rather than 1. You also have the
possibility to use a chip which implements single DES-CBC in a full pass
over the data. In the mode you described, you would have to use the
one chip in ECB mode and keep changing keys for every block in order to
get the final ciphertext to XOR with the next plaintext block.
As to whether to encrypt the IV under the RSA key, to my preference we
should encrypt by default since we have the space within a single operation
of RSA with the minimum key length. I know that the IV is irrelevant after
the first bytes of the stream because CBC is designed to re-sync, but there
are families of messages (compressed ones, for example) which have
increasing entropy as the message stream proceeds -- so that there is
reason to protect the start of the message more thoroughly than you would
protect the middle or end. A secret IV does just that.
- Carl