Re: Slicing and dicing

"Theodore Y. Ts'o" <tytso@MIT.EDU> Fri, 12 September 1997 16:26 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id MAA07976 for ipsec-outgoing; Fri, 12 Sep 1997 12:26:36 -0400 (EDT)
Date: Fri, 12 Sep 1997 12:35:56 -0400
Message-Id: <199709121635.MAA05295@dcl.MIT.EDU>
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Phil Karn <karn@qualcomm.com>
Cc: karl@Ascend.COM, rodney@sabletech.com, ipsec@tis.com, karn@qualcomm.com
In-Reply-To: Phil Karn's message of Thu, 11 Sep 1997 22:40:23 -0700 (PDT), <m0x9OSt-000HUqC@laptop.ka9q.ampr.org>
Subject: Re: Slicing and dicing
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

   Date: Thu, 11 Sep 1997 22:40:23 -0700 (PDT)
   From: Phil Karn <karn@qualcomm.com>

   How likely are we to generate a weak key by random accident? Is it
   worth worrying about?

Well, there are 4 weak keys, and 16 semi-weak keys, out of possible
2**56 keys.  So the probability of picking one of these weak keys is 
(20 * 2**-56).  

Now, the property of having a weak or semi-weak key K is that there is
exactly one key (in the case of the weak key, itself), K', such that
encrypting with K and then encrypting with K' results in the original
plaintext.  Given that we are using CBC mode, the random IV also must be
the same.  

Note that this is also only a problem if we some how end up
re-encrypting the encrypted packet again, such as in applications where
you might be using two layers of ESP for some reason.  In those cases,
the probability of trouble would be (20 * 2**-56 * 2**-56 * 20**-64), or
(20 * 2**-176), or 2 * 10**-52.

						- Ted