Re: DES <weak> key list?

Steven Bellovin <smb@research.att.com> Wed, 10 September 1997 14:30 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA05798 for ipsec-outgoing; Wed, 10 Sep 1997 10:30:01 -0400 (EDT)
Message-Id: <199709101437.KAA09123@postal.research.att.com>
To: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
cc: ipsec@tis.com
Subject: Re: DES <weak> key list?
Date: Wed, 10 Sep 1997 10:37:17 -0400
From: Steven Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

	 -----BEGIN PGP SIGNED MESSAGE-----
	 
	 
	 >>>>> "Rodney" == Rodney Thayer <rodney@sabletech.com> writes:
	     Rodney> If we don't need the Possibly Weak list, we can just make
	     Rodney> all three docs point at Schneier, "and of course you
	     Rodney> should consult the current literature for any changes in
	     Rodney> this".
	   
	   Couldn't we just publish an informational RFC with all the
	 possibilities listed, and point at *that*? Maybe one of the
	 cryptographers will author it and provide a couple of paragraphs on
	 why each set of keys is considered weak.
	   This is clearly cryptography, not network protocol design, so let
	 the experts argue over this document rather than doing it here.

We need to cite *one* source for the data, so that each side knows what
the other will do with the keying material.

I confess that I'm not worried about the possibility of a weak key being
chosen at random.  Even if one is, so what?  The problem with a weak key
is that double-encryption with it yields the original plaintext.  We're
not double-encrypting in general; if there are two independent layers of
encryption, the odds on hitting a weak key in both is about 1 in 2^108.
I'll take my chances...

If you want, I think Ran is right -- cite FIPS-74 (a reference I have gives
that as the proper document; I haven't checked).  It's at http://csrc.ncsl.nist.gov/fips/,
but that document appears to be only in WordPerfect form...