Re: On living with the 56-bit key length restriction

Cicero (cicero@redneck.efga.org)
24 Dec 1998 04:30:20 -0000

• Next message: Antonomasia: "Re: On living with the 56-bit key length restriction"
• Previous message: Missouri FreeNet Administration: "Re: On living with the 56-bit key length restriction"
• In reply to: Mok-Kong Shen: "On living with the 56-bit key length restriction"
• Next in thread: Jim Gillogly: "Re: On living with the 56-bit key length restriction"

Antonomasia <ant@notatla.demon.co.uk> wrote:
>
>Jim Gillogly <jim@acm.org>
>
>> If you use a good modern cipher for each step of the 30-bit cascade and
>> include no identifying information in each step, there should be no
>> other shortcut. "Good" for this purpose means it produces a distribution
>> of bytes indistinguishable from uniform random to someone who doesn't
>> know the key.
>
>Does this mean that padding the final block is out and ciphertext
>stealing is in ?

Or you can use either CFB or OFB, neither of which has any padding at
the end. OFB needs salt; prepending a random or pseudo-random IV to
the message, and hashing the pass phrase with it will prevent key
repetition. The only requirement on the salt is uniqueness. CFB
requires either unique session keys, or else unique IVs. Failure to
do so will put the initial block (8 bytes) of plaintext at risk. But
unique IVs are not that hard to construct; some encryption utilities
use time(), PGP uses randseed.bin (as it does for the session keys).

Cicero

• Next message: Antonomasia: "Re: On living with the 56-bit key length restriction"
• Previous message: Missouri FreeNet Administration: "Re: On living with the 56-bit key length restriction"
• In reply to: Mok-Kong Shen: "On living with the 56-bit key length restriction"
• Next in thread: Jim Gillogly: "Re: On living with the 56-bit key length restriction"