Subject: Re: IPsec and key length
To: None <current-users@netbsd.org>
From: Secret Asian Man <cchen@nougat.org>
List: current-users
Date: 06/12/2000 20:10:59
On Mon, Jun 12, 2000 at 09:38:06PM -0400, Bill Sommerfeld wrote:
> > I'm confused; The documentation says that setkey will only take
> > 64-bit long des-cbc keys, but DES is 56-bit; where do the other
> > eight bits come from?
> > 
> > I'm scouring the cisco documentation too, trying to figure out where
> > the other eight bits would come from.
> 
> The standard representation of DES keys uses the low-order bit of
> each byte as a "parity bit"; keys are supposed to have odd parity.
> 
> Parity checking doesn't add any visible strength to the algorithm, and
> sometimes causes application weaknesses, so most sane implementations
> simply ignore the parity bits.

A bigger question of mine stems from trying to make my box dance the happy dance with a cisco switch using pre-shared keys. The keys on the router are 32-characters in length, but setkey barfs on anything larger than eight keys; I'm quite confused since they both say they're using des-cbc.

Maybe they're hexadecimal, but I'm still at a loss about how to feed them in.

Of course, maybe I'm totally off, but right now my head is about to explode. Maybe I should lie down.

-- 
Christopher Kyin-hwa Chen <cchen@nougat.org>
<http://www.nougat.org/~cchen/>
Time flies like an arrow.
Fruit flies like a banana.