Re: DES EDE vs. EEE

Message-Id: <9305211830(_dot_)AA09473(_at_)transfer(_dot_)stratus(_dot_)com>
Subject: Re: DES EDE vs. EEE 
Date: Fri, 21 May 93 14:29:45 -0400
From: Steve Kent <kent(_at_)BBN(_dot_)COM>


Steve,

        you wrote:

      You've been a fan of encrypting IVs in several messages.
Could you provide an explanation of why this would be an important
feature, in the context of PEM?  The general "rules of thumb" under
which cryptoalgorithms have been evaluated for some time (and which
Diffie and Hellman described in publications about 15 years ago),
assume that a good algorithm shuld be resistant to attack even in the
face of known of chosen plaintext.


Yes, this is true.  It's also a rule of thumb that a cryptosystem should be
strong even if the system is known by the enemy.  However, that does not
mean that the system should always be published.  The NSA keeps algorithms
secret.  It's a small roadblock for a determined enemy, but a roadblock.
It certainly stops us, for example, in finding holes in Skipjack.

In the case of IVs, this is a small roadblock.  A system strong under
chosen plaintext is even less vulnerable under ciphertext-only.  I can't
quantify the difference but I can be certain that it's < and not <=.


In the specific case of IVs with PEM, I noticed when I started seeing PEM
messages that the IV (in hex) stood out as a field.  There was no reason,
to my mind, to single it out or to publish it in the clear.  There is
plenty of room inside the RSA encrypted key for 3 full DES keys and 3 full
IVs (or 2 or 1).  Putting the IV(s) there shortens the PEM header and
simplifies it.  It lumps together the parameters which would be passed to
the DES routines in one place.  They become available all at once (in a
single structure?) and that structure could be handed to the DES routines
intact.  Therefore, if I were designing this code, I would have placed all
this information there -- if only for cleanliness of design.  Granted, this
is personal preference of the worst sort:  programming style.  I have no
desire to call someone else's style wrong.  I'm just trying to answer your
question about why I'm a fan of putting the IV in with the key under RSA.


I fully agree that a system should not count in any way on secrecy of the
IV for its security.  That would imply a fatal weakness in the system, I
believe.  However, that doesn't mean that there's something wrong with
transmitting the IV encrypted under the RSA key.

 - Carl

<Prev in Thread]	Current Thread	[Next in Thread>
DES EDE vs. EEE, TCJones Re: DES EDE vs. EEE, Steve Kent Re: DES EDE vs. EEE, Carl Ellison Re: DES EDE vs. EEE, Steve Kent Re: DES EDE vs. EEE, Carl Ellison <= Re: DES EDE vs. EEE, Steve Kent Re: DES EDE vs. EEE, Carl Ellison Re: DES EDE vs. EEE, Russ_Housley . McLean_CSD Re: DES IV's, and EDE3 vs. EDE2, gnu Re: DES EDE vs. EEE, Charles Kaufman dss

Previous by Date:	Re: TIS/PEM will probably have exprimental support for EDE, Steve Kent
Next by Date:	Re: TIS/PEM will probably have exprimental support for EDE, Carl Ellison
Previous by Thread:	Re: DES EDE vs. EEE, Steve Kent
Next by Thread:	Re: DES EDE vs. EEE, Steve Kent
Indexes:	[Date] [Thread] [Top] [All Lists]