Re: Slicing and dicing

["Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Theodore" == Theodore Y Ts'o <tytso@MIT.EDU> writes:
    Theodore> Note that this is also only a problem if we some how end
    Theodore> up re-encrypting the encrypted packet again, such as in
    Theodore> applications where you might be using two layers of ESP
    Theodore> for some reason.  In those cases, the probability of
    Theodore> trouble would be (20 * 2**-56 * 2**-56 * 20**-64), or
    Theodore> (20 * 2**-176), or 2 * 10**-52.

  Given this, I'd say forget about handling it.
  The world isn't just DES, though. The question about what to do with
weak keys in general. Are weak keys in other algorithms equally
improbable? 

  Given the difficulty in even test code to replace the weak keys with
other keys, I'd prefer to simply fail the SA, and cause ISAKMP to
start over again. I think even my vic-20 can afford to do this once
every (86400/300 * 365)/(2* 10**-52) years. 

   :!mcr!:            |  Network security programming, currently
   Michael Richardson | on contract with DataFellows F-Secure IPSec
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.




-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNBmAM6ZpLyXYhL+BAQEfsAMArWAdndda2GYJ+qe4wOJfGInM/EszpzZC
mjJ9PHROrHWjZGGFXZusAjPv1rZsy27LR2reN4/7F7adg4DdV7ryCJ0p9ItoxTXF
Q5xmlzSASTZnnc9tbyqUe/PUeIRFwPTZ
=ec8l
-----END PGP SIGNATURE-----