Re: 3DES key-length for data authentication

• Previous message: Freddy Chavez: "Re: SFTP - only"
• In reply to: jaymo@hiwaay.net: "Re: 3DES key-length for data authentication"
• Next in thread: jaymo@hiwaay.net: "Re: 3DES key-length for data authentication"
• Reply: jaymo@hiwaay.net: "Re: 3DES key-length for data authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 09 Dec 2002 10:31:48 -0800
From: Michael Sierchio <kudzu@tenebras.com>
To: jaymo@hiwaay.net

jaymo@hiwaay.net wrote:

> The effective keylength of Triple-DES is 112 bits. I don't recall the
> rationale for this now - it should be available in all the usual
> places; e.g. google, "triple-DES effective keylength".

The meet-in-the-middle time-memory trade-off attack (Cf. Merkle-Hellman)
is a chosen plaintext attack, so it's applicable only if the adversary
can mount such an attack -- not likely in a VPN, probably likely in an
encrypted file system. It's easiest to describe for double DES --
Merkle-Hellman allows for breaking double DES with 2 keys in 2^(n+1)
chosen plaintext encryptions, rather than the 2^2n you might expect.
Merkle-Hellman breaks 3-DES-CBC-EDE-3K in 2^2n steps and requires 2^2n
blocks of memory.

The effective key length if the adversary can mount a CPA against
3-DES-CBC-EDE-3K is 112 bits. If the adversary cannot mount the MITM
attack, the effective key length is 168 bits.

In the case of using triple DES for SSH or SSL operations, my educated
guess is that it actually does provide 168 bits worth of key strength.

• Next message: Philip Le Riche: "Re: Cygwin and SSH"
• Previous message: Freddy Chavez: "Re: SFTP - only"
• In reply to: jaymo@hiwaay.net: "Re: 3DES key-length for data authentication"
• Next in thread: jaymo@hiwaay.net: "Re: 3DES key-length for data authentication"
• Reply: jaymo@hiwaay.net: "Re: 3DES key-length for data authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]