Re: Slicing and dicing

jim@mentat.com (Jim Gillogly) Fri, 12 September 1997 16:50 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id MAA08109 for ipsec-outgoing; Fri, 12 Sep 1997 12:50:06 -0400 (EDT)
Date: Fri, 12 Sep 1997 09:56:27 -0700
From: jim@mentat.com
Message-Id: <9709121656.AA16604@mentat.com>
To: karn@qualcomm.com, tytso@MIT.EDU
Subject: Re: Slicing and dicing
Cc: karl@Ascend.COM, rodney@sabletech.com, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Phil Karn sez:
>    How likely are we to generate a weak key by random accident? Is it
>    worth worrying about?

Ted T'so responds:
...
> Note that this is also only a problem if we some how end up
> re-encrypting the encrypted packet again, such as in applications where
> you might be using two layers of ESP for some reason.  In those cases,
> the probability of trouble would be (20 * 2**-56 * 2**-56 * 20**-64), or
> (20 * 2**-176), or 2 * 10**-52.

Putting this in perspective, there are about pi * 10^7 seconds per year,
so if everybody on earth (10^10, in round numbers) were changing keys 10^10
times per second, somebody would expose a stream once in 10^25 years.

I think I can live with that.

	Jim Gillogly