Hi Bruno,
>I've got another question about 3DES and SSL: isn't the SSL protocol
limited
>to a 128 bit keylength ? If this is true, how is 3DES handled ? Is the 3rd
>key only partially used ? Or is the "key1, key2, key1" scheme used ?
No, the "key1, key2, key1" scheme is not used for the 3DES cipher suites in
SSL.
I have faced this issue when writing a java client compatible with an SSLeay
server.
It is also quite clear from the TLSv1 specification (RFC 2246) quoted at the
end of this message.
But this 2 key tripple DES (112 bit key length) would be the best solution
regarding the French regulation:
It would be not stronger than 128 bit and still currently secure (where as
simple DES is not).
It would aslo be as resistant as the 3 key tripple DES to the
"meet-in-the-middle"attack, described by Ben. Am I right?
So, do you think it would be wise to submit such a cipher suite to the TLS
standard:
CipherSuite TLS_DH_DSS_WITH_DES_128_EDE3_CBC_SHA = { 0x00,0x1C };
----------------------------------------------------------------------------
----------------------------------------
Extracts from RFC 2246:
"Data Encryption Standard
DES is a very widely used symmetric encryption algorithm. DES is
a block cipher with a 56 bit key and an 8 byte block size. Note
that in TLS, for key generation purposes, DES is treated as
having an 8 byte key length (64 bits), but it still only provides
56 bits of protection. (The low bit of each key byte is presumed
to be set to produce odd parity in that key byte.) DES can also
be operated in a mode where three independent keys and three
encryptions are used for each block of data; this uses 168 bits
of key (24 bytes in the TLS key generation method) and provides
the equivalent of 112 bits of security. [DES], [3DES]"
"Implementation note:
The cipher spec which is defined in this document which requires
the most material is 3DES_EDE_CBC_SHA: it requires 2 x 24 byte
keys, 2 x 20 byte MAC secrets, and 2 x 8 byte IVs, for a total of
104 bytes of key material."
"
CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };
CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };"
" Note: Additional cipher suites can be registered by publishing an RFC
which specifies the cipher suites, including the necessary TLS
protocol information, including message encoding, premaster
secret derivation, symmetric encryption and MAC calculation and
appropriate reference information for the algorithms involved.
The RFC editor's office may, at its discretion, choose to publish
specifications for cipher suites which are not completely
described (e.g., for classified algorithms) if it finds the
specification to be of technical interest and completely
specified."
----------------------------------------------------------------------------
----------------------------------------
Nicolas Roumiantzeff.
PS: by any chance, Bruno, have you been through the ENTPE? (nothing to do
with a new crypto algorithm;-)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
