1995-10-25 - RE: 80 bits from 40 bits – NOT

Header Data

From: agermain@cmp.com (Germain Arthur)
To: cypherpunks@toad.com (cypherpunks)
Message Hash: eda0fb3bd66386df6f89982dbbf8cebfe72c982765e63cd7b4354d6f6db459e8
Message ID: <1995Oct25.093008.1151.341060@smtpgate.cmp.com>
Reply To: N/A
UTC Datetime: 1995-10-25 13:29:17 UTC
Raw Date: Wed, 25 Oct 95 06:29:17 PDT

Raw message

From: agermain@cmp.com (Germain Arthur)
Date: Wed, 25 Oct 95 06:29:17 PDT
To: cypherpunks@toad.com (cypherpunks)
Subject: RE: 80 bits from 40 bits -- NOT
Message-ID: <1995Oct25.093008.1151.341060@smtpgate.cmp.com>
MIME-Version: 1.0
Content-Type: text/plain



I have unsubscribed from this mailing list. Please remove my name from   
your personal address lists. Thanks.

ahg3

 ----------
From:  baldwin[SMTP:baldwin@RSA.COM]
Sent:  Tuesday, October 24, 1995 2:39 PM
To:  cypherpunks
Subject:  80 bits from 40 bits -- NOT


        Well, let me eat my words.  Unless all layers turn on
encryption at the same time, and there is not predictable text
that passes from one layer to the next, adding encryption at
each layer cannot substantially improve the size of the key
space.  Consider two layers each of which has a verifiable
header and a body of encrypted text.  By "verifyable", I mean
that it contains enough redundancy to recognize a correct
decryption of the cipher added by the lower layer.  For example,
a header that included a content type field and a length field
could be examined to see if it looked reasonable, and thus
confirm a guess at the lower level's cipher.


                Plaintext-Body-1
                      |
                 Layer-1-cipher
                      |
      Header-1, Encrypted-Body-1
               |
            Layer-2-cipher
                   |
   Header-2, Encrypted-Body-2

        To crack this system, an attacker does brute force search
of the keyspace for the layer-2-cipher, for each key check the
decrypted Header-1 value to see if it looks OK, if not, continue,
otherwise start searching the keyspace for the Layer-1-cipher
given the candidate for the Encrypted-Body-1 produced by the
guess at the Layer-2-cipher key.  Clearly, if you have several
layer 2 blocks and they all have good looking values for the
Header-1, then the Layer-2-cipher key is correct.

        The summary is that two layers of 40 bit ciphers with
the first layer adding some verifiable information, has the effect
of adding at most one bit to the effective keysize (doubling the
amount of work).  It DOES NOT increase the keysize to 80 bits.
                --Bob Baldwin


______________________________ Reply Separator
_________________________________
Subject: 80 bit security from 40 bit exportable products
Author:  "baldwin" <baldwin@RSA.COM (Robert W. Baldwin)> at INTERNET
Date:    10/24/95 10:52 AM

        Long ago vendors should have put encryption into network layer
products, but for a variety of reasons that effort was delayed or
discouraged.  One effect of this lack is that almost every layer of
the network stack is adding its own encryption.  For example, the
HTTP session layer added S-HTTP and the TCP transport layer added
SSL.  Soon we will have network layer encryption with IPsec.
        The vendors for each layer can export a product that uses
ciphers with 40 bit keys.  A user can then combine multiple
products to get more than 40 bits worth of security.  For example,
a web client might fetch an S-HTTP page over an SSL protected link
via a firewall that supports IPsec tunnels.  That's three 40 bit
keys protecting the data over the internet link (of course, this
may not be equivalent to a 120 bit cipher, that depends on the
details of the cipher systems and independence of the key setups).
Interesting possibilities.
                --Bob Baldwin









Thread