Message-Id: <9305271305(_dot_)AA21646(_at_)chaos(_dot_)intercon(_dot_)com>
Date: Thu, 27 May 1993 13:05:21 -0500
From: Amanda Walker <amanda(_at_)intercon(_dot_)com>
Subject: Re: Triple DES
CBC would be applied after EDE. Thus, DES-EDE-CBC would be derived
from DES-CBC simply by taking out the single-DES and inserting
DES-EDE. IV's would not be encrypted.
I support this method.
Amanda,
the performance analyst (in my past life) objects. There are
performance advantages to using (DES-CBC)**3 over (DES**3)-CBC, for anyone
with single DES chips or with DES software that looks at all like Stratus'
optimized DES (in which the DES-CBC routine operates over a large block of
data, not just 8 bytes). The only people who might win with (DES**3)-CBC
are those who have (DES**3) in a single EDE2 chip. I've heard of that
chip, in the course of this discussion, but I've never seen one and doubt
that they're popular compared to single DES chips or software DES.
From my following of the conversation, it seems that people are
blindly jumping for (DES**3)-CBC without considering the performance.
[Again, from my past life as a performance analyst, I have a wound still
not healed from S/W developers who seem never to pay attention to execution
time.]
Sorry if I've miscast you in that role but I wish performance
were given a bit more consideration.
It is clear to me, in this case, that whoever designed EDE2 never
considered CBC mode or we wouldn't be having this discussion.
Steve Kent's argument that because (DES-CBC)**3 hasn't been blessed
by the pros, it must be less secure than (DES**3)-CBC holds no water for me.
In short, it looks like this decision is in danger of being made
without due consideration -- especially without the consideration which
performance is due.
- Carl