On Feb 2, 2005, at 1:32 PM, bear wrote:
On Mon, 31 Jan 2005, Steven M. Bellovin wrote:
<snip re: 3des broken?>
[Moderator's note: The quick answer is no. The person who claims
otherwise is seriously misinformed. I'm sure others will chime
in. --Perry]

When using CBC mode, one should not encrypt more than 2^32 64-bit
blocks under a given key.

whichever it is, as you point out there are other and more secure
modes available for using 3DES if you have a fat pipe to encrypt.

I don't want to take this down a rat-hole, but I respectfully disagree. The small block size of 3DES is also an issue with "more secure modes".

CCM states that only 128 but ciphers are to be used. The NIST document states "For CCM, the block size of the block cipher algorithm shall be 128 bits; currently, the AES algorithm is the only approved block cipher algorithm with this block size."

Ferguson points out that in OCB there is a birthday at the number of packets. From the paper, "Collision attacks are much easier when 64-bit block ciphers are used. Therefore, we most strongly advise never to use OCB with a 64-bit block cipher."

These basis of this is that the mode loses packet security at a birthday of the number of blocks. In communications, this is 2^32 blocks, and if we assume 1k blocks, this is 4TBytes, which occurs after transferring less than 2 full DVDs. As network performance grows, this will be a very common transfer size.

While 3DES is not "broken", it is my opinion that the 64 bit blocksize of 3DES is not adequate for today's requirements. In this sense, it is not broken, but obsolete.



--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to