CISCO PIX Vulnerability
Thu, 4 Jun 1998 10:59:10 +0000

Damir Rajnovic wrote:
> Apparently, knowing what bits are fixed will not bring attacker 
> any additional 'gain' in breaking a DES. At least I was told that by 
> people from sci.crypt group.

That statement is true under certain circumstances, but it seems to be taken 
out of context here.

DES uses an 8 byte key, of which only 56 bits are used for encryption (8 of 
the bits are ignored). Because of this, you can take a 7 byte key and by 
carefully expanding it, you can produce an 8 byte DES key that is just as 
strong as a random 8 byte key so long as the original 7 byte key is truly 

When using DES with the infamous 40 bit key limitation often mandated by 
certain governments, vendors must further reduce the 56 bits down to 40 bits. 
The algorithm used is typically to mask (fix) 16 bits in the 56 bits used in 
the DES key such that the number of non-fixed bits always adds up to 40 bits. 

The "privacy" of a 40 bit key does not depend on which of the 16 bits were 
masked out of the original 56 used bits. The same method can be used to 
create an effective key length of 48 bits.

> Another thing is that PIX is using DES in ECB mode. CISCO admits that
> "....ECB is not generally considered to be the best mode in which to 
> employ DES,...." but you'll have to live with it. CISCO will not fix
> that so you'll have to buy future IPSEC/IKE products.

ECB is the simplest (and most vulnerable) mode available...

Stacey Lum