Date: Fri, 16 Jul 93 01:38:41 EDT
From: cme(_at_)ellisun(_dot_)sw(_dot_)stratus(_dot_)com (Carl Ellison)
Sender: pem-dev-relay(_at_)TIS(_dot_)COM
It behooves PEM, therefore, not to write off the performance argument just
because current implementations *of PEM* might not see enough of a
difference to annoy people if the under-performing option is chosen.
I see the issue in the same way in which some people decide to use 2048
bit RSA keys. While it is unlikely that a 1024 bit key could be
factorized by most organizations, even though a 2048 bit key is much
slower, it makes paranoid people feel better about the security of the
encryption.
In the same way, there were concerns expressed that some of the modes
that permit parallelized computation of triple DES might be less secure;
specifically, that a known plaintext attack might be easier under some
of these modes. Given that the traditional EDE mode is the only one
which has been discussed extensively in the literature, it seems to make
people feel better about its security, more than other variants. Keep
in mind that people using this are people who are worried about brute
force attack 2**56 bit keys --- so people who are using triple DES will
generally be people who are extremely worried about security indeed.
Thus, the system which appears to have the most security, and which has
been studied the most in the scientific literature, should be chosen
over less closely studied variants.
- Ted