On Wed, Jul 11, 2001 at 12:48:30PM -0500, Tim Walberg wrote: > On 07/11/2001 18:40 +0100, Dale Amon wrote: > >> 3) Encrypting sequentially with two different symmetric > >> keys of 256 bits will have an end result that has a > >> security of 256 <= equivkeysize <= 512. > > This is not always true; there are known cases where, due > to weaknesses in algorithms, encrypting twice may actually > be weaker than encrypting once - i.e. you may end up with > equivkeysize < 256. This really depends on the algorithm > and the choice of keys, though (many algorithms have certain > keys that are weaker than others, as well). Actually, it's worse than that. Review Bruce Schneier's comments on 3-DES and "meet in the middle" attacks. Even crypto systems which do not exhibit a compound weakening are likely to be vulnerable to meet in the middle attacks that amount to them only being twice as strong (257 bits in this case) as the single encryption. A "double DES" would only have the equivalent strength of roughly 57 bits (for two rounds of 56 bit DES) where as 3-DES defeats the meet in the middle attack resulting in 112 bit strenght for EDE two key mode or 168 bits where all three keys are independent. > -- > twalberg@xxxxxxxxxxxxxx Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
