long-term GPG signing key
Steven M. Bellovin
smb at cs.columbia.edu
Fri Jan 13 11:29:05 EST 2006
In message <43C7C824.9000502 at systemics.com>, Ian G writes:
>Alexander Klimov wrote:
>> On Wed, 11 Jan 2006, Ian G wrote:
>>
>>
>>>Even though triple-DES is still considered to have avoided that
>>>trap, its relatively small block size means you can now put the
>>>entire decrypt table on a dvd (or somesuch, I forget the maths).
>>
>>
>> This would need 8 x 2^{64} bytes of storage which is approximately
>> 2,000,000,000 DVD's (~ 4 x 2^{32} bytes on each).
>>
>> Probably, you are referring to the fact that during encryption of a
>> whole DVD, say, in CBC mode two blocks are likely to be the same
>> since there are an order of 2^{32} x 2^{32} pairs.
>
>Thanks for the correction, yes, so obviously I
>muffed that one. I saw it mentioned on this list
>about a year ago, but didn't pay enough attention
>to recall the precise difficulty that the small
>block size of 8 bytes now has.
The difficulty with 3DES's small blocksize is the 2^32 block limit when
using CBC -- you start getting collisions, allowing the attacker to
start building up a code book. The amount of data is quite within
reach at gigabit speeds, and gigabit Ethernet is all but standard
equipment on new computers. Mandatory arithmetic: 2^32 bytes is 2^38
bits, or ~275 * 10^9. At 10^9 bits/sec, that's less than 5 minutes.
Even at 100M bps -- and that speed *is* standard today -- it's less
than an hour's worth of transmission. The conclusion is that if you're
encrypting a LAN, you need AES or you need to rekey fairly often.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list