From: DAVESPARKS@delphi.com
Date: Fri, 15 Jul 94 21:20:06 PDT
To: cypherpunks@toad.com
Subject: Re: Triple encryption...
Message-ID: <01HER66KT4XS9ASKAD@delphi.com>
MIME-Version: 1.0
Content-Type: text/plain


Mike Johnson wrote:

> Or for the rabid, clinically paranoid:
> 
> 3des | tran | IDEA | tran | Diamond | tran | Blowfish | prngxor | 

 [11 iterations deleted]

> ... about 500 more lines of the same ...
> 
> with a memorized 5 megabyte key.
> 
> And I thought 15 round Diamond with a 256 bit key was overkill worse than 
> 3 key triple DES!
> 
> Seriously, folks, the weakest links of most cryptosystems are not in the 
> symmetric key cipher (provided you pick one of the good ones), but in the 
> key management, associating people with keys, and in picking good pass 
> phrases.

There's always a trade-off, and you've just demonstrated one of the
extremes.  In the final analysis, it's sort of like deciding whether to
spend $1000 on a security system to protect a $500 car, for "security", or
leave the doors unlocked and "hide" the ignition key under the mat for "ease
of use".  Probably something in between makes the most sense.

HOWEVER ... I was merely demonstrating one possible permutation on the
triple DES method. (More precisely, a permutation to someone else's
permutation.)  Replacing the middle layer of DES with IDEA seems to be a
feasible alternative, since IDEA is as fast as DES, or slightly faster. If a
user is concerned enough about security to want to use 3DES in the first
place, then an extra 64 bits of keying material is not an unreasonable
burden.  It also "diversifies" the overall protection in case either DES or
IDEA should eventually be found to be exceptionally weak when attacked in a
certain, previously unknown, manner.

IMHO, "paranoid" would be saying that people *MUST* protect their data to
this level, regardless of its actual "value", as opposed to merely
presenting options for an end-user the choose from, including some
common-sense key management guidelines as well.

A single iteration of the 512 layer "overkill" scenario might even make
sense, actually, under certain extraordinary circumstances.  Unless the
various algorithms react in some sort of strange way to actually *WEAKEN*
each other, your final security is equal to that of the STRONGEST of the
mix.  OTOH, if we *KNEW* that the best attack against IDEA was brute force,
then single IDEA would suffice for just about any conceivable application.

What would you like to suggest in the way of key management to make that
"link" at least as strong as the algorithmic one?  Your point is certainly a
valuable one, but the two aren't mutually exclusive.  That would be like
saying that I won't buy a lock for my front door until I've first replaced
all my windows with something more sturdy than glass.  It depends on the
nature and source of any potential attacks.  To follow the analogy, some
"burglars" are better at lock picking than glass-smashing.

 /--------------+------------------------------------\
 |              |  Internet: davesparks@delphi.com   |
 | Dave Sparks  |  Fidonet:  Dave Sparks @ 1:207/212 |
 |              |  BBS:      (909) 353-9821 - 14.4K  |
 \--------------+------------------------------------/