Re: DES <weak> key list?

"Theodore Y. Ts'o" <tytso@MIT.EDU> Wed, 10 September 1997 18:45 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA07709 for ipsec-outgoing; Wed, 10 Sep 1997 14:45:14 -0400 (EDT)
Date: Wed, 10 Sep 1997 14:53:23 -0400
Message-Id: <199709101853.OAA23904@dcl.MIT.EDU>
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Steven Bellovin <smb@research.att.com>
Cc: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>, ipsec@tis.com
In-Reply-To: Steven Bellovin's message of Wed, 10 Sep 1997 10:37:17 -0400, <199709101437.KAA09123@postal.research.att.com>
Subject: Re: DES <weak> key list?
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

   Date: Wed, 10 Sep 1997 10:37:17 -0400
   From: Steven Bellovin <smb@research.att.com>

   I confess that I'm not worried about the possibility of a weak key being
   chosen at random.  Even if one is, so what?  The problem with a weak key
   is that double-encryption with it yields the original plaintext.  We're
   not double-encrypting in general; if there are two independent layers of
   encryption, the odds on hitting a weak key in both is about 1 in 2^108.
   I'll take my chances...

It's even better than that.  Given that we're using CBC, you'd have to
doubly encrypt with the same IV, and the odds that they would be the
same make the probability of lossage even lower.  

It's really not clear this is worth us worrying about it...

							- Ted