[2941] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Josh Osborne)
Wed Dec 22 15:52:37 1993
From: stripes@uunet.uu.net (Josh Osborne)
To: tytso@MIT.EDU (Theodore Ts'o)
Date: Wed, 22 Dec 1993 15:24:08 -0500 (EST)
Cc: carlos@athea.ar, sdawson@engin.umich.edu, kerberos@MIT.EDU
In-Reply-To: <9312221949.AA21047@tsx-11.MIT.EDU> from "Theodore Ts'o" at Dec 22, 93 02:49:21 pm
[...]
>The right answer to fixing this, of course, is to switch to some other
>cryptosystem --- like triple-DES, for example. Kerberos V5 has support
>for multiple cryptosystems, and I anticipate that we will be adding
>support for triple-DES in the near future.
Yes, I mentoned that "single DES" is unsafe (vs. known plaintext attacks),
but failed to mention that tripple DES seems safe. (in fact UUNET's
encryption product uses your choice of tripple or single DES, which we
were retrospectively ecstatic about when that paper came out!)
For the uninitiated, tripple DES is 3 repeated uses of DES to do a tripple
DES "encrypt" you DESencrypt the data with key A, then DESdecrypt it with key
B and then DESencrypt it with C. To tripple DES "decrypt" you DESdecrypt the
date with C, then DESencrypt with B, then DESdecrypt with A. I don't know
if this has been mathmatically proven to be stronger then single DES, but it
is at least beleved to be.
Another apparently safer (then DES) cryptosystem is IDEA, and the Russian
cryptosystem has an impressavly large key (256b primary and 1024 secondary, I
think!), but I don't know that much about (there is apparently no export
restriction on it, and there is an english translation somewhere).
