[851] in cryptography@c2.net mail archive
Re: usage of triple-DES
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu May 15 22:21:43 1997
To: cryptography@c2.net
In-reply-to: Your message of "Thu, 15 May 1997 19:49:04 EDT."
<3.0.1.32.19970515194904.00774070@pop3.pn.com>
Reply-To: perry@piermont.com
Date: Thu, 15 May 1997 22:19:16 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Rodney Thayer writes:
> I'm configuring Triple DES for use in IPsec. I get the
> impression that most but not all Triple-DES implementations use
> TWO keys (2x56 bits, padded with parity to 128 bits) and ONE IV
> (64 bits.) This matches the description in Schneier's book
> (Encrypt with Key1, Decrypt with Key2, Encrypt with Key1.)
> However, later in the second edition he recommends the use of
> THREE keys not two. Also I see <a major cryptographic
> technology vendor> allows for "24 bytes" (I take this means
> three keys) in their Triple-DES EDE software. I'm interested
> in implementing but polite manner. I think I should use two
> keys. Any comments? Anyone else looking at Triple-DES for IPsec?
3DES modes for use in IPSEC have been dealt with already several times
-- see RFC1851 for one example. The formats have progressed since then
as Steve Bellovin and Dave Wager discovered that authenticationless
modes permit various and sundry attacks, but that's not the point.
The point is there are standard 3DES transforms for use with IPSec. If
you want to interoperate with other people using IETF standard
protocols, please use the predefined transforms. If you roll your own,
no one can talk to you. As an implementor, your job isn't to decide if
you use two keys or three -- if you make such a decision, how will you
interoperate?
Perry
