-----BEGIN PGP SIGNED MESSAGE----- Hello there, Additional details regarding CISCO's Field Notice - PIX Private Link Key Processing and Cryptography Issues CISCO PIX Private Link feature uses DES key that is only 48 bits in length. It is not obvious straight away since key is internally expanded from 7-bytes (as entered in command line) to 8-bytes that is used by DES. If you dig into that expansion algorithm you'll find that third byte, counting from the right, is not used at all. This is how key is expanded: #!/usr/local/bin/perl # Key used by DES @key_data=( 0, 0, 0, 0, 0, 0, 0, 0 ); # Key entered in LINK statement @key_in = ( 0x00, 0x00, 0x00, 0x00, 0x00, 0xda, 0xaa ); # Key expansion algorithm $byte = ($key_in[6] & 0x3F) << 2; $key_data[6] |= $byte; $byte = ($key_in[6] & 0xC0) >> 5; $key_data[5] |= $byte; $byte = ($key_in[5] & 0x7F) << 1; $key_data[7] = $byte; $byte = ($key_in[5] & 0x80) >> 6; $key_data[6] |= $byte; # # Byte 4 (from left) seems to be ignored # $byte = ($key_in[3] & 0x01) << 7; $key_data[1] |= $byte; $key_data[0] = ($key_in[3] & 0xFE ); $byte = $key_in[2] & 0x03; $key_data[2] |= ($byte << 6); $byte = ($key_in[2] & 0xFC) >> 1; $key_data[1] |= $byte; $byte = $key_in[1] & 0x07; $key_data[3] |= ($byte << 5 ); $byte = $key_in[1] & 0xF8; $key_data[2] |= ($byte >> 2); $byte = $key_in[0] & 0x0F; $key_data[4] |= ($byte << 4); $byte = $key_in[0] & 0xF0; $key_data[3] |= ($byte >> 3); # # Now you can use key in @key_data for encryption Apparently, knowing what bits are fixed will not bring attacker any additional 'gain' in breaking a DES. At least I was told that by people from sci.crypt group. Another thing is that PIX is using DES in ECB mode. CISCO admits that "....ECB is not generally considered to be the best mode in which to employ DES,...." but you'll have to live with it. CISCO will not fix that so you'll have to buy future IPSEC/IKE products. Cheers, Gaus -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQCVAwUBNXUJgMAFeq0PniW5AQGQXAP9Gj7AvwHtvzgv0FlAVIOfRlHCWKN+APdM VsGfvPKXxxkZbmJKu/27J0mChsx7Kp60TXWMATiaosVHSBVYpm5vQ8B1ljF9GZtz FJcuo/wN746coNaQSHiJv4jytun7VzmG6/gJF3O746GrAMhzj2VTeSvUlGMVx2a0 NlNhH7HJ8Yo= =ow3T -----END PGP SIGNATURE----- --------------------------------------------------------------- EuroCERT tel: (+44 1235) 822 382 c/o UKERNA fax: (+44 1235) 822 398 Atlas Centre Chilton, Didcot Oxfordshire OX11 0QS, UK
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:44 PDT