[4827] in cryptography@c2.net mail archive
Re: ICSA certifies weak crypto as secure
daemon@ATHENA.MIT.EDU (John Gilmore)
Wed Jun 2 18:31:31 1999
To: John Kelsey <kelsey.j@ix.netcom.com>
Cc: "Arnold G. Reinhold" <reinhold@world.std.com>,
"Kawika Daguio" <KDAGUIO@aba.com>, dcsb@ai.mit.edu,
cryptography@c2.net, gnu@toad.com
In-reply-to: <4.1.19990528133046.0093d4c0@popd.ix.netcom.com> <4.1.19990528133046.0093d4c0@popd.ix.netcom.com>
Date: Tue, 01 Jun 1999 18:19:14 -0700
From: John Gilmore <gnu@toad.com>
John Kelsey said, in a list of what people do wrong in crypto:
> e. In exportable systems, you have to use the salt
> correctly. If you just use a 40-bit key, you end up
> vulnerable to various kinds of precomputation attack.
>
> f. In exportable systems, you have to separate the keys
> used for data integrity from the keys used for data
> encryption. The encryption keys have to be weakened, but
> the integrity keys (for MACs or signatures) need to be kept
> at full strength.
John, what are you talking about?
Even assuming you'd want to write a cryptosystem in the US and export
it -- a silly idea if I ever heard one, it just causes endless
trouble -- there's no reason to limit yourself to 40 bits!
Step 1:
Export jobs, not crypto. Full strength crypto is exportable;
you just have to select the right jurisdiction to export it
from. Many countries care more about their citizens' privacy
and rights than about the efficiency of their wiretap
bureacracies.
Step 2 (for those who can't grasp Step 1):
56-bit DES is known to be insecure, therefore you can export it.
-- John
