Re: The Cost of Snakeoil (was Re: John Gilmore and the Great Internet Snake Drive)

Bill Stewart (bill.stewart@pobox.com)
Tue, 21 Jul 1998 21:14:09 -0700

• Next message: William H. Geiger III: "Re: Export regulations"
• Previous message: John Gilmore: "Re: John Gilmore and the Great Internet Snake Drive"
• In reply to: John Lowry: "Re: John Gilmore and the Great Internet Snake Drive"
• Next in thread: Mok-Kong Shen: "Re: The Cost of Snakeoil (was Re: John Gilmore and the Great Internet Snake Drive)"

Robert Hettinga wrote:

> It's an ex-protocol. Pining for the fjords or not.

If you nail three Norwegian Blue parrots to the same perch,
they're still just as dead , and if you compose three
Caesar cyphers together, they're still no stronger than one.

But if you take three Single-DESs and glue them together properly,
they're far stronger than any threats you'll ever encounter,
at least until the Great Nanotech Singularity uploads us all.
DES is a decently solid building block, works well stacked together,
if done right, and it may be dog-slow but everybody pretty much trusts it.
(On the other hand, there are ways to put 3 DES's together that
lose badly, and are only a few times stronger than 1-DES.)

>DES is DED. Don't buy snake oil.

So use EDE :-)

>If someone offered to sell you *2*DES crypto, claiming it's secure, it
>would be genuine snake oil, right? 2DES is an obviously broken cipher, and
>we all know that.

Well, no - the meet-in-the-middle attack on 2N-DES uses 2**55 or so storage,
which is still impractically large and expensive, though the price
has come down by about 2**20 since the mid-70s when DES came out.
A Wiener-style brute force machine doesn't scale well for that problem,
since you need the _whole_ 2**55 memory, unlike CPU which can try
a lot fewer keys/second for a longer time. Doesn't mean it's a good idea
to use it (either do 3DES, maybe the 2-Key version, or switch algorithms),
but it's still solid for a couple of years.

Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> suggests
> If it is economically and otherwise justifiable,
> I also can see no reason why the 3 in 3DES can't be replaced by n.
> One can certainly also combine DES with other encryption algorithms.

It's seldom if ever justifiable. If the 112+ bits of strength in 3DES
aren't enough for you, you're dealing with some very special problem,
or else you're too paranoid, or else you need to balance your crypto strength
with more important

                                Thanks!
                                        Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639

• Next message: William H. Geiger III: "Re: Export regulations"
• Previous message: John Gilmore: "Re: John Gilmore and the Great Internet Snake Drive"
• In reply to: John Lowry: "Re: John Gilmore and the Great Internet Snake Drive"
• Next in thread: Mok-Kong Shen: "Re: The Cost of Snakeoil (was Re: John Gilmore and the Great Internet Snake Drive)"