[2943] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Dec 22 17:49:59 1993
Date: Wed, 22 Dec 93 17:34:36 EST
From: tytso@MIT.EDU (Theodore Ts'o)
To: stripes@uunet.uu.net
Cc: carlos@athea.ar, sdawson@engin.umich.edu, kerberos@MIT.EDU
In-Reply-To: Josh Osborne's message of Wed, 22 Dec 1993 15:24:08 -0500 (EST),
From: stripes@uunet.uu.net (Josh Osborne)
Date: Wed, 22 Dec 1993 15:24:08 -0500 (EST)
Another apparently safer (then DES) cryptosystem is IDEA, and the
Russian cryptosystem has an impressavly large key (256b primary and
1024 secondary, I think!), but I don't know that much about (there is
apparently no export restriction on it, and there is an english
translation somewhere).
It is not currently known what the cryptographic strength of IDEA is; it
is a relative new-comer, although it has resisted attacks on it so far.
Note that IDEA is also patented, and commercial use of IDEA requires
royalty payments.
The "Russian cryptosystem" seems to be substantially weaker than DES.
Among other things, it omits the use of an expansion function and uses
4x4 S-boxes. This makes it substantially more succeptible to
differential cryptanalisis. Furthermore, the 1024bit "secondary key" is
in actuality the S-boxes --- they are not specified within the GOST
standard. Even if you knew how to choose good S-boxes, given the other
weaknesses in the structure of the cryptosystem, it is unlikely that it
is stronger than DES.
Moral of the story? Keysize is not everything.
- Ted
