Internet Draft                              Paul Hoffman
draft-hoffman-des40-03.txt                  Internet Mail Consortium
                                            Russ Housley
                                            SPYRUS
April 30, 1999
Expires in six months

                    Creating 40-Bit Keys for DES

Status of this memo

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups.  Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

1. Introduction

This document describes an method for shortening DES keys from 56 bits
to 40 bits. The shortened keys are generally known as "DES-40". The
motivation for this weakening is that some localities give export
preference to applications that use relatively weak encryption
algorithms. Some implementors want to use DES with 40-bit keys instead
of other algorithms with 40-bit keys because they already have DES
coded into their products. The weakened keys are then used with the DES
encryption algorithm in the same manner as full-strength keys.

There are many possible methods for reducing a 56-bit key to a 40-bit
key. The method in this draft was chosen because one method is needed
for interoperability. Further, this method has been known to
occasionally have been approved for export from the United States.

2. Creating 40-Bit Keys for DES

DES [DES] uses a 56-bit key. The key consists of eight 8-bit bytes;
however the last (eighth) bit of each byte is used for parity, leaving
56 bits of key.

To weaken the 8-byte, 56-bit key into a 40-bit key, you set to zero
the first four bits of every other byte in the key, starting with the
first byte. Stated a different way, you take the bitwise logical AND
of the key and the binary value:
  0000111111111111000011111111111100001111111111110000111111111111

Another way to picture this is:

Bit positions:
  0000000000111111111122222222223333333333444444444455555555556666
  0123456789012345678901234567890123456789012345678901234567890123
Use:
  zzzzKKKpKKKKKKKpzzzzKKKpKKKKKKKpzzzzKKKpKKKKKKKpzzzzKKKpKKKKKKKp

  Legend:
   z = zero bit
   K = key bit
   p = parity bit

Some implementations of DES require the parity bit of each byte to be
set correctly in order for the key to be accepted. DES requires that
the last bit of each byte be a parity bit. DES uses odd parity,
meaning that the number of 1 bits in each byte should be odd.
Therefore, to complete the transformation to a 40-bit key, the
software SHOULD cause the parity in each byte to be odd, changing the
last bit if necessary.

3. Security Considerations

Current computer technology makes a brute-force attack on ciphertext
that is encrypted with a 40-bit key fairly quick. This is true for any
encryption algorithms, not just DES. Thus, 40-bit keys result in only
weak security against decryption. As computers get faster, this weak
security will become even weaker. Thus, 40-bit keys should never be
used with data that has a high value if it is decrypted by an
adversary. However, encrypting data with 40-bit keys prevents passive
snoopers from immediately reading a message without using some
significant but not onerous decryption effort.

Because of the ease of a brute-force attack on 40-bit keys, the 56-bit
key from which a 40-bit key is derived must not also be used as a
56-bit key. This is due to a simple attack that first derives the
40-bit key, then fills in the remaining 16 bits by brute force.
Systems that produce 40-bit keys from 56-bit keys must assume that the
associated 56-bit key is only slightly harder to compromise than the
40-bit key.

Note that short keys (and 40 bits is generally considered short) are
subject to a variety of brute-force attacks that are not possible with
longer keys, thus making them even more dangerous. For example, if a
40-bit algorithm is used and encrypted text includes a block of bytes
known to the attacker, then the attacker can pre-compute all possible
encryptions of that block and do a rapid comparison against the
pre-computed ciphertexts. Further, it is likely that more attacks on
short keys will appear in the future, thereby rendering them even less
suitable for protecting data.

The shortening method described in this draft causes a discernable
pattern of zero bits in the resulting key. There is no known
literature at this time that describes whether cyphertext encrypted
with a key that has this pattern of zeros is easier to decrypt than
cyphertext that has no pattern. However, because 40-bit keys are
already inherently weak, a decrease in security from the pattern is
not considered to be very important relative to the inherent weakness
due to the short key length.

There are other methods for converting longer keys to shorter ones.
For example, IBM has created a patented (and significantly more
complex) method called "Commercial Data Masking Facility", or CDMF
[CDMF]; other methods probably exist. These methods might result in
keys that produce cyphertext that is harder (or easier) to determine
through brute-force. A quick comparison of CDMF and DES-40 shows that
the brute-force attack against CDMF require one additional DES
operation. Saving one DES operation does not seem to warrant the
additional complexity.

A. References

[CDMF] "Design of the Commercial Data Masking Facility Data Privacy
Algorithm", 1st ACM Conference on Computer and Communications
Security, ACM Press, 1993.

[DES] ANSI X3.106, "American National Standard for Information
Systems-Data Link Encryption," American National Standards
Institute, 1983.

B. Object Identifier

In general, the algorithm identifiers associated with DES are used with
DES-40 since the algorithm is exactly the same except that 16 of the
key bits have known values. However, there are a few instances (such as
algorithm negotiation) where DES-40 needs to be specified. The
following algorithm identifier has been assigned for these cases. Note
that no mode of operation is associated with this algorithm identifier.

id-alg-des40 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
            dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 1 }

C. Authors' Addresses

Paul Hoffman
Internet Mail Consortium
127 Segre Place
Santa Cruz, CA  95060  USA
phoffman@imc.org

Russ Housley
SPYRUS
381 Elden Street, Suite 1120
Herndon, VA  20170  USA
housley@spyrus.com