This preview shows page 1. Sign up to view the full content.
Unformatted text preview: rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Read EarthWeb's privacy statement. To access the contents, click the chapter and section titles. Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
Go!
Keyword
Brief Full Advanced Search Search Tips (Publisher: John Wiley & Sons, Inc.) Author(s): Bruce Schneier ISBN: 0471128457 Publication Date: 01/01/96 Search this book:
Go! Previous Table of Contents Next
 This is sometimes called encryptdecryptencrypt (EDE) mode [55]. If the block algorithm has an nbit key, then this scheme has a 2nbit key. The curious encryptdecryptencrypt pattern was designed by IBM to preserve compatibility with conventional implementations of the algorithm: Setting the two keys equal to each other is identical to encrypting once with the key. There is no security inherent in the encryptdecryptencrypt pattern, but this mode has been adopted to improve the DES algorithm in the X9.17 and ISO 8732 standards [55,761]. K1 and K2 alternate to prevent the meetinthemiddle attack previously described. If C = EK2(EK1(EK1(P))), then a cryptanalyst could precompute EK1(EK1(P))) for every possible K1 and then proceed with the attack. It only requires 2n + 2 encryptions. Triple encryption with two keys is not susceptible to the same meetinthemiddle attack described earlier. But Merkle and Hellman developed another timememory tradeoff that could break this technique in 2n  1 steps using 2n blocks of memory [1075]. For each possible K2, decrypt 0 and store the result in memory. Then, decrypt 0 with each possible K1 to get P. Tripleencrypt P to get C, and then decrypt C with K1. If that decryption is a decryption of 0 with a K2 (stored in memory), the K1 K2 pair is a possible candidate. Check if it is right. If it’s not, keep looking. This is a chosenplaintext attack, requiring an enormous amount of chosen plaintext to mount. It requires 2n time and memory, and 2m chosen plaintexts. It is not very practical, but it is a weakness. Paul...
View
Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details