mrr(_at_)scss3(_dot_)cl(_dot_)msu(_dot_)edu (Mark Riordan) writes:
Also, I think the situation with DES is ironic. It has withstood
the test of time against theoretical attacks very well, while
retaining its one original glaring weakness: the short keysize.
As I understand the analyses I have read, single-pass DES inherently only
provides a 56-bit-key's worth of security, since even with a larger
key size, differential cryptanalysis brings it down to 2^56 trial keys.
Given this, I see bigger keys (without an algorithm change) as false
security. I also look at off-the-cuff proposed algorithm changes very
skeptically; simply adding more rounds, widening the block size, or widening
the key space is by no means guaranteed to enhance real security.
EDE2, on the other hand, has been well-examined, and has been demonstrated to
offer at least some additional security than simple DES. EDE3 would seem to
be no weaker than EDE2, (though I highly doubt it is 1.5 times as strong),
since it varies only in the key schedule, not the algorithm.
I would be pleased to see EDE2, and have no great objections to EDE3.
CBC would be applied after EDE. Thus, DES-EDE-CBC would be derived
from DES-CBC simply by taking out the single-DES and inserting
DES-EDE. IV's would not be encrypted.
I support this method.
Amanda Walker
Advanced Projects
InterCon Systems Corporation