I think the recently published attack has more to do with bad implementations/specification than a newly discovered weakness in 3DES. That you should never encrypt anything near 2^32 blocks is well known (but I don’t know how well this is explained in NIST or IETF specifications, if at all).
I am very supportive of everything speeding up the deprecation of weak algorithms and protocols, but then I think CFRG should make a broader approach and look at more candidates for general deprecation like SHA-1 signatures, 1024-bit MODP, and 1024-bit RSA… I think all of these are far weaker than 3-key 3DES. Making sure that IETF provides good implementation guidelines and requirements for all ciphers might be as important. /John On 25/08/16 05:28, "Cfrg on behalf of Peter Gutmann" <[email protected] on behalf of [email protected]> wrote: >Tony Arcieri <[email protected]> writes: > >>Should there be a 3DES "diediedie"? > >Only if there's an actualy issue. 3DES is still very widely supported >(particularly in financial systems and embedded), and provides a useful >backup to AES. An attack that recovers cookie if you can record 785GB >of traffic isn't anything I'm losing any sleep over. > >Peter. >_______________________________________________ >Cfrg mailing list >[email protected] >https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
