Re: [GNU Crypto] how to deal with weak keys. was: Documentation

[Simon Josefsson]

"Raif S. Naffah" <address@hidden> writes:

>> My vote is to not check for weak keys. Any user-level applications we
>> eventually write for GNU Crypto most definitely *should* check for
>> weak keys when they are generated, but I don't think this belongs in
>> the library proper.
>
> i hear you.

My vote is to implement it, but make the check optional somehow.  Weak
key testing is useful to have in the library, and some applications
really do need it (cf kerberos des string2key).  Those who do not need
doesn't have to use it.

> ok.  i see the benefit of allowing even weak keys to go through the 
> implementation.  i double checked all the FIPS publications relevant to 
> DES, and couldnt find even a warning about weak keys!

See FIPS 74 section 3.6.  It mentions the weak and semi-weak keys, but
not the pseudo-weak keys (using Schneier's terminology).

http://www.itl.nist.gov/fipspubs/fip74.htm

> * add in each cipher implementation which is known to exhibit weak, or 
> semi-weak keys, a private static final boolean CHECK_WEAK_KEYS with a 
> default value.  in the makeKey() method we add the code to check for 
> weak keys conditioned by the value of CHECK_WEAK_KEYS.
>
> * in the code, distinguish the case of weak keys with a new exception 
> that is a subclass of InvalidKeyException.  this way the code will 
> remain backward compatible.
>
> * add a warning in the documentation, incl. the README about the set 
> default for CHECK_WEAK_KEYS, and how the user can change it to get the 
> desired effect if it is not set to the appropriate value.
>
>
> how does this sound?

Sounds good to me.