next up previous
Next: Confidence in mechanisms Up: Strength of Encryption Mechanisms Previous: Cover time

Cost of strong mechanisms

The cost of implementing this level of protection against keysearch is not significantly different from that of providing much weaker protection. Indeed, the `40-bit' version of RC4 alluded to in the NHS strategy and rightly described as being weak, is actually a perfectly acceptable 128-bit algorithm -- but 88 of its key bits are sent in the clear in export versions of many US programs as a condition of export licencing.

There is no technical reason why strong protection should cost any more, and thus the IMG strategy's recommendation that a 64 bit algorithm should be used when 128 bit algorithms are available in the public domain makes no sense from the engineering point of view. It is also unlikely to inspire confidence in the public and the clinical community, once security professionals have the opportunity to spell this out in plain English.

Ross Anderson
Mon Oct 6 12:47:34 BST 1997