Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:11:01
Jim Gillogly (jimg@mentat.com)
Mon, 24 Aug 1998 09:27:02 -0700
> Does anyone know the level of security that 3-key RC4-40 (or RC2 for that matter) would get
> you? The reason I ask is that I'm having to do some development with MS-CAPI right now
> and outside the USA we only have the weak 40-bit RC4 and RC2 to use.
I suspect the answer hinges on whether excess stuff results from the
encryption at each step. For example, if the first RC4-40 encryption
results in ciphertext that includes any kind of known or knowable
fields like any kind of framing data; a checksum, cryptographic or
otherwise; a public IV; a "Here follows the RC4-40 ciphertext:"; a
distinctive trailer; or (in the case of RC2) standards-specified
padding, then the security is no better than 3 * RC4-40: they can be
unwound one at a time trivially. If there's absolutely no extraneous
material and the three keys are unrelated, I don't see an easy attack
off the top of my head. Note, though, that 40-bit keyspaces are small
enough to allow storage-intensive precomputation attacks that are
impractical with 56-bit systems, so perhaps there's a birthday problem
available.
I'm sure someone familiar with MS-CAPI could answer the question
of whether each encipherment results in knowable plaintext for the
next step.
It was my understanding that part of getting export certification was
having some protection against the user doing multiple encryption
within the scope of the program. Of course the user could always do an
off-line Blowfish first, but that doesn't fit in with Andy's later "Not
using MS-CAPI is not an option" requirement. Having a required field
that says "'Ere's yer bluidy ciphertext" would fill that bill. That's a
general rule of thumb, though, and perhaps MS-CAPI doesn't suffer from
it.
Jim Gillogly
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:11:01