On May 25, 11:55, "John Lowry" wrote:
Subject: EDE
I'm willing to look foolish ... :-)
Can anyone answer the following questions in a quantifiable manner ?
Just what is the improvement of EDE over one-pass ?
Just what is the imporvement of encrypted IV's over plaintext ?
(Remember, you need to quantify your answers)
These are reasonable questions.
All of what I'm going to say applies to RSAREF/RIPEM.
EDE uses a larger keyspace (either 56*2 or 56*3 bits of key material).
So it is probably more secure. It is certainly more secure against a
"brute force" attack.
However, this security may really not be as great as it seems.
Basically, session keys are generated using some sort of PRNG. In RSAREF,
for example, a 128-bit state vector is used. The end result is that
there are at most 2^128 sequences of pseudorandom numbers that can be
generated.
The IV also comes out of the same PRNG.
In RSAREF, the IV and key are generated one right after the other (I
forget the order off hand). I'd advocate encrypting the IV solely on
the basis that you are possibly giving out some information about the
session key by giving out the IV. In particular, if you're going to be
generating 112 bits of key material, you might be concerned about this
(the plaintext IV might narrow your choice of the session key to 2^64
possibilities).
On the other hand, since one of the goals of RIPEM is a degree of PEM
compatability, I don't think we should go off and tamper with this.
As people have said, we can always go off and improve the PRNG later.
Mark
--
Mark Henderson, SoftQuad Inc, 108-10070 King George Hwy, Surrey, B.C. V3T 2W4
Internet: markh(_at_)wimsey(_dot_)bc(_dot_)ca,
mch(_at_)sqwest(_dot_)wimsey(_dot_)bc(_dot_)ca, mch(_at_)holonet(_dot_)net
UUCP: {van-bc,sq}!sqwest!mch Telephone: +1 604 585 8394 Fax: +1 604 585 1926
RIPEM public key available/MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433