Re: DES <weak> key list?

Rodney Thayer <rodney@sabletech.com> Wed, 10 September 1997 19:08 UTC

Message-Id: <3.0.3.32.19970910151112.00768198@pop3.pn.com>
Date: Wed, 10 Sep 1997 15:11:12 -0400
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
From: Rodney Thayer <rodney@sabletech.com>
Subject: Re: DES <weak> key list?
Cc: ipsec@tis.com
In-Reply-To: <199709101853.OAA23904@dcl.MIT.EDU>
References: <Steven Bellovin's message of Wed, 10 Sep 1997 10:37:17 -0400, <199709101437.KAA09123@postal.research.att.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

It's my impression that Bruce Schneier has the same opinion.  I suggest we
pull the text from all three places.

At 02:53 PM 9/10/97 -0400, you wrote:
>   Date: Wed, 10 Sep 1997 10:37:17 -0400
>   From: Steven Bellovin <smb@research.att.com>
>
>   I confess that I'm not worried about the possibility of a weak key being
>   chosen at random.  Even if one is, so what?  The problem with a weak key
>   is that double-encryption with it yields the original plaintext.  We're
>   not double-encrypting in general; if there are two independent layers of
>   encryption, the odds on hitting a weak key in both is about 1 in 2^108.
>   I'll take my chances...
>
>It's even better than that.  Given that we're using CBC, you'd have to
>doubly encrypt with the same IV, and the odds that they would be the
>same make the probability of lossage even lower.  
>
>It's really not clear this is worth us worrying about it...
>
>							- Ted
>
>

DES <weak> key list? Rodney Thayer
Re: DES <weak> key list? Michael C. Richardson
Re: DES <weak> key list? Ran Atkinson
Re: DES <weak> key list? Steven Bellovin
Re: DES <weak> key list? John Shriver
Re: DES <weak> key list? Bill Sommerfeld
Re: DES <weak> key list? Theodore Y. Ts'o
Re: DES <weak> key list? Rodney Thayer
Re: DES <weak> key list? Dave Mason