Re: Slicing and dicing

[Cheryl Madson <cmadson@cisco.com>]

I'm willing to change my DES draft to remove the weak key checking
altogether. I could probably add text similar to what Ted provided
into the security considerations section, so later readers will know
that we thought about this.

I was already planning for an editorial update to happen sometime
soon (I have a couple of other wordsmithing changes in the pipe).

- C

> 
>    Date: Thu, 11 Sep 1997 22:40:23 -0700 (PDT)
>    From: Phil Karn <karn@qualcomm.com>
> 
>    How likely are we to generate a weak key by random accident? Is it
>    worth worrying about?
> 
> Well, there are 4 weak keys, and 16 semi-weak keys, out of possible
> 2**56 keys.  So the probability of picking one of these weak keys is 
> (20 * 2**-56).  
> 
> Now, the property of having a weak or semi-weak key K is that there is
> exactly one key (in the case of the weak key, itself), K', such that
> encrypting with K and then encrypting with K' results in the original
> plaintext.  Given that we are using CBC mode, the random IV also must be
> the same.  
> 
> Note that this is also only a problem if we some how end up
> re-encrypting the encrypted packet again, such as in applications where
> you might be using two layers of ESP for some reason.  In those cases,
> the probability of trouble would be (20 * 2**-56 * 2**-56 * 20**-64), or
> (20 * 2**-176), or 2 * 10**-52.
> 
> 						- Ted
> 
>