Is 3DES Broken?

[james hughes]

On Feb 2, 2005, at 1:32 PM, bear wrote:
> On Mon, 31 Jan 2005, Steven M. Bellovin wrote:
> <snip re: 3des broken?>
>>> [Moderator's note: The quick answer is no. The person who claims
>>> otherwise is seriously misinformed. I'm sure others will chime
>>> in. --Perry]
>> [snip]
>>
>> When using CBC mode, one should not encrypt more than 2^32 64-bit
>> blocks under a given key.
> [snip]
>
> whichever it is, as you point out there are other and more secure
> modes available for using 3DES if you have a fat pipe to encrypt.

I don't want to take this down a rat-hole, but I respectfully disagree. 
The small block size of 3DES is also an issue with "more secure modes".

CCM states that only 128 but ciphers are to be used. The NIST document 
states "For CCM, the block size of the block cipher algorithm shall be 
128 bits; currently, the AES algorithm is the only approved block 
cipher algorithm with this block size."
	http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf

Ferguson points out that in OCB there is a birthday at the number of 
packets. From the paper, "Collision attacks are much easier when 64-bit 
block ciphers are used. Therefore, we most strongly advise never to use 
OCB with a 64-bit block cipher."
	http://csrc.nist.gov/CryptoToolkit/modes/comments/Ferguson.pdf

These basis of this is that the mode loses packet security at a 
birthday of the number of blocks. In communications, this is 2^32 
blocks, and if we assume 1k blocks, this is 4TBytes, which occurs after 
transferring less than 2 full DVDs. As network performance grows, this 
will be a very common transfer size.

While 3DES is not "broken", it is my opinion that the 64 bit blocksize 
of 3DES is not adequate for today's requirements. In this sense, it is 
not broken, but obsolete.

Thanks

jim


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com