DES <weak> key list?

Rodney Thayer <> Wed, 10 September 1997 13:30 UTC

Received: (from majordom@localhost) by (8.8.2/8.8.2) id JAA05276 for ipsec-outgoing; Wed, 10 Sep 1997 09:30:56 -0400 (EDT)
Message-Id: <>
X-PGP-Key: <>
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 10 Sep 1997 09:37:19 -0400
From: Rodney Thayer <>
Subject: DES <weak> key list?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk

ISAKMP-OAKLEY specifies DES Weak and Semi-Weak keys (the list on page 281,
5th printing, 2nd edition of Schneier.  The list of keys in the draft and
the list of keys in the book are the same, I believe.

The ESP DES drafts listed Weak, Semi-Weak, and 'Possibly' weak keys.  It's
the POSSIBLY WEAK list that has an error in Schneier, even in the 5th
printing.  I have some questions on this.

1. where's the source of this Possibly Weak list, that people are using in
telling us that Schneier is wrong?
2. Should we or should we not worry about the Possibly Weak list?
ISAKMP-Oakley presumably didn't think it was necessary.  Simpson (who did
the DES Implicit IV draft, which pre-dates the Explicit IV draft) thought
it was necessary?  Could someone explain the logic of this, either way?

If we don't need the Possibly Weak list, we can just make all three docs
point at Schneier, "and of course you should consult the current literature
for any changes in this".

>Date: Tue, 9 Sep 1997 11:11:29 -0700
>From: Karl Fox <>
>To: Rodney Thayer <>
>Subject: Slicing and dicing
>Reply-To: Karl Fox <>
>Organization: Ascend Communications
>Rodney Thayer writes:
>> I believe that during the most recent round of draft writing we discovered
>> that several people were discussing and/or documenting DES Weak keys.  I
>> suspect we failed to resolve that.  I think the simples resolution I heard
>> was to suggest that in the future all documents point at Schneier's book
>> for the weak and semi-weak key list.
>I'd prefer that the list be included in the document (preferably in a
>*single* document), partly because the table of possibly-weak keys in
>my copy of Schneier's book (2nd edition, 1st printing) contains an
>error.  The tables in draft-ietf-ipsec-ciph-des-derived-00.txt and
>draft-ietf-ipsec-ciph-des-expiv-00.txt are right.  I don't know if
>Schneier's book has been corrected in later printings (if there are
>any).  I've reported the error to him twice with only an automated
>errata list (not containing the table error) as reply, but it may be
>fixed now--others I've spoken to have found it, too.
>> >Date: Mon, 8 Sep 1997 15:04:45 -0700
>> >From: Karl Fox <karl@Ascend.COM>
>> >To:
>> >Subject: Slicing and dicing
>> >Reply-To: Karl Fox <karl@Ascend.COM>
>> >Organization: Ascend Communications
>> >Sender:
>> >Reply-To:
>> >
>> >While I'm on the subject of key material derivation,
>> >draft-ietf-ipsec-ciph-des-expiv-00.txt talks about comparisons with
>> >possibly-weak keys, while isakmp-oakley-04 only mentions weak and
>> >semi-weak keys.  They should be consistent.  Even better, they should
>> >both point to a single place where an appropriate technique is
>> >described.
>> >
>> >Also, draft-ietf-ipsec-ciph-des-expiv-00.txt says that
>> >
>> >   [some document] describes the general mechanism to derive keying
>> >   material for the ESP transform. The derivation of the key from some
>> >   amount of keying material does not differ between the manually- and
>> >   automatically-keyed security associations.
>> >
>> >Does anybody know when this document will be available?  What else
>> >should we use to find out what to use for the ANX testing, the
>> >reference implementation?
>> >
>> >Is that what everybody else does?
>> >-- 
>> >Karl Fox, servant of God, employee of Ascend Communications
>> >655 Metro Place South, Suite 370, Dublin, Ohio  43017   +1 614 760 4041
>> >
>> >
>> >
>Karl Fox, servant of God, employee of Ascend Communications
>655 Metro Place South, Suite 370, Dublin, Ohio  43017   +1 614 760 4041