Re: DES <weak> key list?

Rodney Thayer <> Wed, 10 September 1997 19:08 UTC

Received: (from majordom@localhost) by (8.8.2/8.8.2) id PAA07873 for ipsec-outgoing; Wed, 10 Sep 1997 15:08:29 -0400 (EDT)
Message-Id: <>
X-PGP-Key: <>
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 10 Sep 1997 15:11:12 -0400
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
From: Rodney Thayer <>
Subject: Re: DES <weak> key list?
In-Reply-To: <199709101853.OAA23904@dcl.MIT.EDU>
References: <Steven Bellovin's message of Wed, 10 Sep 1997 10:37:17 -0400, <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk

It's my impression that Bruce Schneier has the same opinion.  I suggest we
pull the text from all three places.

At 02:53 PM 9/10/97 -0400, you wrote:
>   Date: Wed, 10 Sep 1997 10:37:17 -0400
>   From: Steven Bellovin <>
>   I confess that I'm not worried about the possibility of a weak key being
>   chosen at random.  Even if one is, so what?  The problem with a weak key
>   is that double-encryption with it yields the original plaintext.  We're
>   not double-encrypting in general; if there are two independent layers of
>   encryption, the odds on hitting a weak key in both is about 1 in 2^108.
>   I'll take my chances...
>It's even better than that.  Given that we're using CBC, you'd have to
>doubly encrypt with the same IV, and the odds that they would be the
>same make the probability of lossage even lower.  
>It's really not clear this is worth us worrying about it...
>							- Ted