Re: 3DES key-length for data authentication

From: Michael Sierchio (kudzu@tenebras.com)
Date: 12/09/02

  • Next message: Philip Le Riche: "Re: Cygwin and SSH"
    Date: Mon, 09 Dec 2002 10:31:48 -0800
    From: Michael Sierchio <kudzu@tenebras.com>
    To: jaymo@hiwaay.net
    
    

    jaymo@hiwaay.net wrote:

    > The effective keylength of Triple-DES is 112 bits. I don't recall the
    > rationale for this now - it should be available in all the usual
    > places; e.g. google, "triple-DES effective keylength".

    The meet-in-the-middle time-memory trade-off attack (Cf. Merkle-Hellman)
    is a chosen plaintext attack, so it's applicable only if the adversary
    can mount such an attack -- not likely in a VPN, probably likely in an
    encrypted file system. It's easiest to describe for double DES --
    Merkle-Hellman allows for breaking double DES with 2 keys in 2^(n+1)
    chosen plaintext encryptions, rather than the 2^2n you might expect.
    Merkle-Hellman breaks 3-DES-CBC-EDE-3K in 2^2n steps and requires 2^2n
    blocks of memory.

    The effective key length if the adversary can mount a CPA against
    3-DES-CBC-EDE-3K is 112 bits. If the adversary cannot mount the MITM
    attack, the effective key length is 168 bits.

    In the case of using triple DES for SSH or SSL operations, my educated
    guess is that it actually does provide 168 bits worth of key strength.



    Relevant Pages

    • Re: 3DES key-length for data authentication
      ... > is a chosen plaintext attack, so it's applicable only if the adversary ... It's easiest to describe for double DES -- ... the effective key length is 168 bits. ...
      (SSH)
    • Re: Countering chosen-plaintext attacks
      ... >> attack on your cipher as proof that the cipher is safe from anyone ... > So we have a disagreement as you said. ... This is why it is called a chosen plaintext attack. ...
      (sci.crypt)
    • Re: Stupid Triple DES question
      ... Shouldnt it then be 3 times as secure ... With triple-DES this kind of "meet in the middle" attack does not ... type of double DES that avoids that attack. ... THen you encrypt with first key. ...
      (sci.crypt)
    • Re: Countering chosen-plaintext attacks
      ... >>input to the algorithm corresponds to the output C ... > someone can form a chosen plaintext or ciphertext attack. ... Was sich ueberhaupt sagen laesst, | What can be said at all can ...
      (sci.crypt)
    • Re: Any truth to rumor that NSA had Public Key Crypto first?
      ... the best differential attack against full single DES requires 2^47 ... takes about 2^60 steps and uses ...2^60 chosen plaintexts". ...
      (sci.crypt)