1995-10-24 - 80 bits from 40 bits – NOT

Header Data

From: “baldwin” <baldwin@RSA.COM (Robert W. Baldwin)>
To: cypherpunks@toad.com
Message Hash: 5a87829f3f85d08911e97a0645de77e2fddf801592e13d5f3f358c160e33d9f6
Message ID: <9509248145.AA814570684@snail.rsa.com>
Reply To: N/A
UTC Datetime: 1995-10-24 21:39:46 UTC
Raw Date: Tue, 24 Oct 95 14:39:46 PDT

Raw message

From: "baldwin" <baldwin@RSA.COM (Robert W. Baldwin)>
Date: Tue, 24 Oct 95 14:39:46 PDT
To: cypherpunks@toad.com
Subject: 80 bits from 40 bits -- NOT
Message-ID: <9509248145.AA814570684@snail.rsa.com>
MIME-Version: 1.0
Content-Type: text/plain


        Well, let me eat my words.  Unless all layers turn on
encryption at the same time, and there is not predictable text
that passes from one layer to the next, adding encryption at
each layer cannot substantially improve the size of the key
space.  Consider two layers each of which has a verifiable
header and a body of encrypted text.  By "verifyable", I mean
that it contains enough redundancy to recognize a correct
decryption of the cipher added by the lower layer.  For example,
a header that included a content type field and a length field
could be examined to see if it looked reasonable, and thus
confirm a guess at the lower level's cipher.


                Plaintext-Body-1
                      |
                 Layer-1-cipher
                      |
      Header-1, Encrypted-Body-1
               |
            Layer-2-cipher
                   |
   Header-2, Encrypted-Body-2

        To crack this system, an attacker does brute force search
of the keyspace for the layer-2-cipher, for each key check the
decrypted Header-1 value to see if it looks OK, if not, continue,
otherwise start searching the keyspace for the Layer-1-cipher
given the candidate for the Encrypted-Body-1 produced by the
guess at the Layer-2-cipher key.  Clearly, if you have several
layer 2 blocks and they all have good looking values for the
Header-1, then the Layer-2-cipher key is correct.

        The summary is that two layers of 40 bit ciphers with
the first layer adding some verifiable information, has the effect
of adding at most one bit to the effective keysize (doubling the
amount of work).  It DOES NOT increase the keysize to 80 bits.
                --Bob Baldwin


______________________________ Reply Separator _________________________________
Subject: 80 bit security from 40 bit exportable products
Author:  "baldwin" <baldwin@RSA.COM (Robert W. Baldwin)> at INTERNET
Date:    10/24/95 10:52 AM

        Long ago vendors should have put encryption into network layer
products, but for a variety of reasons that effort was delayed or 
discouraged.  One effect of this lack is that almost every layer of 
the network stack is adding its own encryption.  For example, the 
HTTP session layer added S-HTTP and the TCP transport layer added 
SSL.  Soon we will have network layer encryption with IPsec.
        The vendors for each layer can export a product that uses
ciphers with 40 bit keys.  A user can then combine multiple 
products to get more than 40 bits worth of security.  For example, 
a web client might fetch an S-HTTP page over an SSL protected link 
via a firewall that supports IPsec tunnels.  That's three 40 bit 
keys protecting the data over the internet link (of course, this 
may not be equivalent to a 120 bit cipher, that depends on the 
details of the cipher systems and independence of the key setups). 
Interesting possibilities.
                --Bob Baldwin







Thread