| < draft-hoffman-des40-01.txt | draft-hoffman-des40-02.txt > | |||
|---|---|---|---|---|
| Internet Draft Paul Hoffman | Internet Draft Paul Hoffman | |||
| draft-hoffman-des40-01.txt Internet Mail Consortium | draft-hoffman-des40-02.txt Internet Mail Consortium | |||
| Russ Housley | Russ Housley | |||
| SPYRUS | SPYRUS | |||
| April 20, 1998 Expires six months later | April 29, 1998 Expires six months later | |||
| Creating 40-Bit Keys for DES | Creating 40-Bit Keys for DES | |||
| Status of this memo | Status of this memo | |||
| This document is an Internet-Draft. Internet-Drafts are working | This document is an Internet-Draft. Internet-Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its areas, | documents of the Internet Engineering Task Force (IETF), its areas, | |||
| and its working groups. Note that other groups may also distribute | and its working groups. Note that other groups may also distribute | |||
| working documents as Internet-Drafts. | working documents as Internet-Drafts. | |||
| skipping to change at line 88 ¶ | skipping to change at line 88 ¶ | |||
| Current computer technology makes a brute-force attack on ciphertext | Current computer technology makes a brute-force attack on ciphertext | |||
| that is encrypted with a 40-bit key fairly quick. This is true for any | that is encrypted with a 40-bit key fairly quick. This is true for any | |||
| encryption algorithms, not just DES. Thus, 40-bit keys result in only | encryption algorithms, not just DES. Thus, 40-bit keys result in only | |||
| weak security against decryption. As computers get faster, this weak | weak security against decryption. As computers get faster, this weak | |||
| security will become even weaker. Thus, 40-bit keys should never be | security will become even weaker. Thus, 40-bit keys should never be | |||
| used with data that has a high value if it is decrypted by an | used with data that has a high value if it is decrypted by an | |||
| adversary. However, encrypting data with 40-bit keys prevents passive | adversary. However, encrypting data with 40-bit keys prevents passive | |||
| snoopers from immediately reading a message without using some | snoopers from immediately reading a message without using some | |||
| significant but not onerous decryption effort. | significant but not onerous decryption effort. | |||
| Because of the ease of a brute-force attack on 40-bit keys, the 56-bit | ||||
| key from which a 40-bit key is derived must not also be used as a | ||||
| 56-bit key. This is due to a simple attack that first derives the | ||||
| 40-bit key, then fills in the remaining 16 bits by brute force. | ||||
| Systems that produce 40-bit keys from 56-bit keys must assume that the | ||||
| associated 56-bit key is only slightly harder to compromise than the | ||||
| 40-bit key. | ||||
| Note that short keys (and 40 bits is generally considered short) are | ||||
| subject to a variety of brute-force attacks that are not possible with | ||||
| longer keys, thus making them even more dangerous. For example, if a | ||||
| 40-bit algorithm is used and encrypted text includes a block of bytes | ||||
| known to the attacker, then the attacker can pre-compute all possible | ||||
| encryptions of that block and do a rapid comparison against the | ||||
| pre-computed ciphertexts. Further, it is likely that more attacks on | ||||
| short keys will appear in the future, thereby rendering them even less | ||||
| suitable for protecting data. | ||||
| The shortening method described in this draft causes a discernable | The shortening method described in this draft causes a discernable | |||
| pattern of zero bits in the resulting key. There is no known | pattern of zero bits in the resulting key. There is no known | |||
| literature at this time that describes whether cyphertext encrypted | literature at this time that describes whether cyphertext encrypted | |||
| with a key that has this pattern of zeros is easier to decrypt than | with a key that has this pattern of zeros is easier to decrypt than | |||
| cyphertext that has no pattern. However, because 40-bit keys are | cyphertext that has no pattern. However, because 40-bit keys are | |||
| already inherently weak, a decrease in security from the pattern is | already inherently weak, a decrease in security from the pattern is | |||
| not considered to be very important relative to the inherent weakness | not considered to be very important relative to the inherent weakness | |||
| due to the short key length. | due to the short key length. | |||
| There are other methods for converting longer keys to shorter ones. | There are other methods for converting longer keys to shorter ones. | |||
| End of changes. 3 change blocks. | ||||
| 2 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||