Is 3DES Broken?
james hughes
hughejp at mac.com
Fri Feb 4 10:09:20 EST 2005
On Feb 2, 2005, at 1:32 PM, bear wrote:
> On Mon, 31 Jan 2005, Steven M. Bellovin wrote:
> <snip re: 3des broken?>
>>> [Moderator's note: The quick answer is no. The person who claims
>>> otherwise is seriously misinformed. I'm sure others will chime
>>> in. --Perry]
>> [snip]
>>
>> When using CBC mode, one should not encrypt more than 2^32 64-bit
>> blocks under a given key.
> [snip]
>
> whichever it is, as you point out there are other and more secure
> modes available for using 3DES if you have a fat pipe to encrypt.
I don't want to take this down a rat-hole, but I respectfully disagree.
The small block size of 3DES is also an issue with "more secure modes".
CCM states that only 128 but ciphers are to be used. The NIST document
states "For CCM, the block size of the block cipher algorithm shall be
128 bits; currently, the AES algorithm is the only approved block
cipher algorithm with this block size."
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Ferguson points out that in OCB there is a birthday at the number of
packets. From the paper, "Collision attacks are much easier when 64-bit
block ciphers are used. Therefore, we most strongly advise never to use
OCB with a 64-bit block cipher."
http://csrc.nist.gov/CryptoToolkit/modes/comments/Ferguson.pdf
These basis of this is that the mode loses packet security at a
birthday of the number of blocks. In communications, this is 2^32
blocks, and if we assume 1k blocks, this is 4TBytes, which occurs after
transferring less than 2 full DVDs. As network performance grows, this
will be a very common transfer size.
While 3DES is not "broken", it is my opinion that the 64 bit blocksize
of 3DES is not adequate for today's requirements. In this sense, it is
not broken, but obsolete.
Thanks
jim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list