Re: [TLS] Question about TLS_RSA_WITH_3DES_EDE_CBC_SHAx

[Martin Rex <mrex@sap.com>]

Martin Rex wrote:
> 
> Adam Langley wrote:
> > 
> > Stefan Winter <stefan.winter@restena.lu> wrote:
> > >
> > > I'm not sure whether TLS_RSA_WITH_3DES_EDE_CBC_SHA is a two-key
> > > or a three-key 3DES algorithm. This condition would be the only
> > > one that could downgrade the I-D in question from
> > > "unconditionally compliant" to "conditionally compliant".
> > 
> > I believe it's the 3-key algorithm. RFC 5246, App B covers this:
> > 
> > "DES can also be operated in a mode [3DES] where three independent
> > keys and three encryptions are used for each block of data; this uses
> > 168 bits of key (24 bytes in the TLS key generation method) and
> > provides the equivalent of 112 bits of security."
> 
> see also  http://tools.ietf.org/html/rfc2246#page-21
> 
> It is a probabilistic 3-key DES-EDE (encryption-decryption-encryption),
> meaning that the algotihm is treated as a block cipher with a
> keysize of 24 octets, blocksize of 8 octets and cbc-ivsize of 8 octets
> (distinct keying material for direction client->server and server->client).
> 
> The first 8x7 bits (sans parity) differ from the final 8x7 bits of the key
> on probabilistic grounds, there are no algorithmic provisions to ensure
> this, and neither are there algorithmic provisions to ensure that
> none of the 3 single-DES subkeys are weak DES keys.
>  
> (you're certainly better of with AES128-CBC, in particular because it
>  is significantly faster--on x86 and x86_64  AES128-CBC has 6x higher
>  data encryption rate than 3DES-EDE for optimized software-implementations.)

Thinking about it, checking whether the first 8x7 bits differ from
the middle 8x7 bits, and that the middle 8x7 bits differ from the final
8x7 bits might have be even more important, because either one being
equal would cause the 3DES-EDE operation to fold into a single-DES
operation.  :-o

-Martin