3 DES Encryption

Robert Moskowitz rgm at ICSA.NET
Thu Jan 6 20:05:04 EST 2000 

At 10:54 AM 1/4/2000 -0800, Jeffery Eric Contr 95 CS wrote:
>My VPN Device uses 168-bit 3 DES Encryption and HMAC-MD5 for Authentication.

that 'sounds like' and IPsec device using IKE.

>Question- are all packets encrypted with the same key or do they change with
>each packet?  Basically, I want to know if someone broke the encryption key
>would they have access to all data or just that one (or few) packet(s)?

No.  IKE has two modes, Main and Quick.  In Main mode, Keying Material 2
diffie-Hellman key pairs are used to generated both the encryption and
authentication.  Some vendors default to 8 hours for Main Mode
lifetimes.  In Quick mode, this keying material is passed through an
expotentiation to get new keying material.  There is a limit to the number
of times this expotentation can be done before  the keying material is
guessable, and no cryptographer will answer how frequent; common QM
lifetimes are 1 hour.

The final piece of the puzzle is the Diffie-Hellman group size used in
MainMode.  Group 1 is a 768 bit prime.  This is fine for up to a 80 bit key
requirement.  Group 2 is a 1024 bit prime and soem say it is OK for a 112
bit key, other cryptographers argue that is a conservative estimate and
Group @ can be used up to around 170 bits.  Group 3 and 4 use Elliptic
Curve instead of Diffie-Hellman and might be a tad faster (same relative
strengths).  We've been pressuring Dr. Orman to compute a 2048 prime for a
Group 5, maybe she'll do it by spring and products will have it in the
summer.  We will definitely need this for AES.


So, set your lifetimes for Quick and Main modes.  Note that quick mode has
a data lifetime as well as a time lifetime (too much data with the same key
and you are toast).  Use the right Group; some products figure this out for
you, others expect you to be the crypto wiz.


Sigh.


Oh, That HMAC-MD5.  There is a reasonable body of evidence that if you go
through the effort for 3DES (that is you fear that a DES scale attack could
be launched against you), you really should use HMAC-SHA1.  Dr. Krawczyk,
the author of HMAC, has expressed a slight concern about the weakness of
HMAC-MD5 under the size of attacks that will break DES.  But to be honest,
my head spins after 15 minutes with him  :)

Final point.  If your data has a short time value, frequent rekeying with
DES MIGHT be just as good protection as 3DES.  Provided that data's value
over its lifetime is not great enough to warrant very large realtime attackers.

Time to crash and burn.




>Eric Jeffery, MCSE
>Network Systems Analyst
>TYBRIN Corp.
>
>VPN is sponsored by SecurityFocus.COM

Robert Moskowitz
ICSA.net
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished
if it doesn't matter who gets the credit

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list