Cryptography Reference
In-Depth Information
This means that an exhaustive key search attack against an all-or-nothing encryption
is slowed down by a factor equal to the number of ciphertext blocks.
The simplest method to protect a block cipher against exhaustive key search
attacks is to work with sufficiently long keys. It goes without saying that modern
ciphers with key lengths of 128 bits and more are resistant to exhaustive key search
attacks with current technology. In a 1996 paper
16
written by a group of well-known
and highly respected cryptographers, it was argued that keys should be at least 75 bits
long and that they should be at least 90 bits long if data must be protected adequately
for the next 20 years (i.e., until 2016). Note that these numbers only provide a lower
bound for the key length; there is no reason not to work with longer keys in the first
place.
17
In practice, there are three possibilities to address (and possibly solve) the
problem of the small key length of DES:
1. The DES may be modified in a way that compensates for its relatively small
key length;
2. The DES may be iterated multiple times;
3. An alternative symmetric encryption system with a larger key length may be
used.
The first possibility leads us to a modification of DES that is known as DESX
(addressed later). The second possibility leads us to the TDEA addressed in Section
10.2.1.6. Last but not least, the third possibility leads us to the AES as addressed in
Section 10.2.2 (the AES has a key length of 128, 192, or even 256 bits).
10.2.1.5
DESX
In order to come up with a modification of DES that compensates for its relatively
small key length, Rivest developed and proposed a simple technique called
DESX
.
DESX is practically relevant, because it was the first symmetric encryption system
employed by the Encrypted File System (EFS) in the Microsoft Windows 2000
operating system.
The DESX construction is illustrated in Figure 10.4. In addition to the DES
key
k
, the DESX construction employs two additional 64-bit keys,
k
1
and
k
2
.
18
They
16
http://www.schneier.com/paper-keylength.html
17
It is sometimes argued that long keys slow down the encryption and decryption algorithms consid-
erably. This argument is wrong. In most symmetric encryption systems, the secret key is expanded
by a highly efficient key schedule algorithm, and this algorithm is largely independent from how
many key bits are provided in the first place.
Note that
k
1
and
k
2
must be different. Otherwise, the binary additions modulo 2 (i.e., XOR
operations) would cancel themselves out.
18
