Re: Slicing and dicing

Cheryl Madson <cmadson@cisco.com> Fri, 12 September 1997 17:21 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA08346 for ipsec-outgoing; Fri, 12 Sep 1997 13:21:38 -0400 (EDT)
From: Cheryl Madson <cmadson@cisco.com>
Message-Id: <199709121730.KAA07488@trix.cisco.com>
Subject: Re: Slicing and dicing
To: tytso@MIT.EDU
Date: Fri, 12 Sep 1997 10:30:03 -0700
Cc: karn@qualcomm.com, karl@Ascend.COM, rodney@sabletech.com, ipsec@tis.com
In-Reply-To: <199709121635.MAA05295@dcl.MIT.EDU> from "Theodore Y. Ts'o" at Sep 12, 97 12:35:56 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

I'm willing to change my DES draft to remove the weak key checking
altogether. I could probably add text similar to what Ted provided
into the security considerations section, so later readers will know
that we thought about this.

I was already planning for an editorial update to happen sometime
soon (I have a couple of other wordsmithing changes in the pipe).

- C

> 
>    Date: Thu, 11 Sep 1997 22:40:23 -0700 (PDT)
>    From: Phil Karn <karn@qualcomm.com>
> 
>    How likely are we to generate a weak key by random accident? Is it
>    worth worrying about?
> 
> Well, there are 4 weak keys, and 16 semi-weak keys, out of possible
> 2**56 keys.  So the probability of picking one of these weak keys is 
> (20 * 2**-56).  
> 
> Now, the property of having a weak or semi-weak key K is that there is
> exactly one key (in the case of the weak key, itself), K', such that
> encrypting with K and then encrypting with K' results in the original
> plaintext.  Given that we are using CBC mode, the random IV also must be
> the same.  
> 
> Note that this is also only a problem if we some how end up
> re-encrypting the encrypted packet again, such as in applications where
> you might be using two layers of ESP for some reason.  In those cases,
> the probability of trouble would be (20 * 2**-56 * 2**-56 * 20**-64), or
> (20 * 2**-176), or 2 * 10**-52.
> 
> 						- Ted
> 
>