Kinetic term: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>Sp4cetiger
dab link
 
en>AnomieBOT
m Dating maintenance tags: {{Dn}}
Line 1: Line 1:
He got back late, and looked so tired I said I�d order a Rasa curry, which I did. So, on Friday, I emailed him in the morning to say that I�d been worried by the fact that he�d read the address of my London flat on the internet. They wanted to phone us back, so I reminded David I�d lost my BlackBerry, and have no idea what the number of the Bat Phone is.<br><br>I keep conjuring up images of him in 1983, trying to reignite the passion. <br>I told him, before he started wriggling, that I think that memorable evening, when after our game of squash he had asked me to take his racquet home for him because he had a date, he had already started seeing the woman he would marry.<br><br>He bought me a bottle of prosecco, and some shopping. On Sunday, we went to the Matisse exhibition at the Tate Modern (walking round the exhibit, talking, made me feel as though we were in a Woody Allen movie), and again his car had a parking ticket on it when we returned to it. This time, though, he didn�t hand it to me, although it�s sitting, accusingly, on my desk.<br><br>The whole phone, in fact, is a gleaming object of desire but it lacks standout new features other than the cameras, so you�ll miss out on gizmos such as the Samsung S5�s fingerprint scanner, or LG G3�s frankly frightening Quad HD screen.<br><br>99                  &#9733;&#9733;&#9733;&#9733;&#9733;Most of us who can be considered vaguely literate felt a faint anger when the term �selfie� passed from geek-speak into common parlance, especially after this year�s famous examples at the Oscars and Nelson Mandela�s funeral, where Barack Obama snuggled up to David Cameron. Huawei Ascend P7 �329.<br><br>And don�t say, �Don�t give me a hard time� when it�s you giving me a hard time. I did nothing today other than work hard and order dinner. 'Have a great life together, just leave me out of it. �You know I have no interest in her. I didn�[http://www.britannica.com/search?query=t+realise t realise] you had taken my keys back. I hope that was just a fit of pique. <br>This came back the next morning, when he�d arrived at work. I love you and no one else. I have to work now, but I�ll see you tonight, as usual. My life is an open book to you.<br><br>Isobel and Dawn are in situ already, chilling the wine. Lots of books on Kindle. My Accessorize pink bikini. Wow, are we going to whip up some copy! What about the wedding proposal on the Pampelonne beach and me and Dawn can scatter white rose petals. Xxx� <br>The thing is, I�m not even sure David is still coming� Packing in tissue paper tonight: The Row sunglasses. My Dries negligee dress. Isobel has just sent me a message�<br>�The cast of Liz Jones�s Diary are off to the South of France. Let�s get this show on the road!<br><br>She had written to him three times, about him giving her his car (His reply: �I will send you the log book�), and having found his bow tie (His reply: �I spent �75 on one last week.<br><br>The famous Oscars �selfie� taken by Bradley Cooper and featuring Angelina Jolie, Brad Pitt, Meryl Streep, Julia Roberts, Ellen DeGeneres, Jennifer Lawrence, Lupita Nyong�o, her brother Peter, Kevin Spacey, Jared Leto and Channing Tatum<br>But Huawei (pronounced like the reverse of a jubilant �Whahey�) needed to add to the language to sum up the purpose of its new Ascend P7�s stand-out feature - a forward-facing eight-megapixel camera, with the option for panoramic shots. By law, this is the only phone you�ll be taking �groufies� on - although as yet, the trademark doesn�t apply in the UK, so users of other phones can still use it for their own work. Unless you�re the size of a Weight Watchers �before� picture, there�s only one reason for this to exist - a �group selfie� (ie, a group shot where one of you holds the camera) - hence �groufie�. Huawei is so proud of the word the company trademarked it in several countries to mark the launch of the P7.<br><br>In case you�re wondering what Huawei is, it�s one of those Chinese companies that only recently began hawking smartphones in the West, and shifts so many phones in the Far East it�s the third biggest phone company on Earth.<br><br>Upstage selfie-toting friends by turning you and your pals into a real 3D-model (warning: there�s a fair bit of work involved), ready to print off. The app �walks� you round anything to capture it in 3D - now all you need is a few hundred quid for a 3D printer.<br><br>Huawei�s invention of the g-word, and the panoramic software to make it a reality, is down to a feeling that the endless Twitter parade of selfies (both celebrity and human), might be improved with a bit of context. And in action, it�s impressive too.<br><br>WOLFENSTEIN: THE NEW ORDER�40, PC, CONSOLES<br>The biggest surprise in Wolfensteing: The New Order is that it's the tense plotting that lifts this violent tale above its beige rivals <br>With an alternate-history plot hewn from the finest codswallop - a Nazi general uses high technology to summon an army of robots and zombies - the biggest surprise here is that it�s the tense plotting that lifts this violent tale above its beige rivals. &#9733;&#9733;&#9733;&#9733;&#9733;<br><br>If you cherished this report and you would like to acquire much more data pertaining to clash of clans triche gemmes ([http://nouveauclashofclanstriche.blogspot.com/ visit here]) kindly check out our site.
In [[cryptography]], a '''weak key''' is a [[key (cryptography)|key]], which, used with a specific [[cipher]], makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, if one generates a random key to encrypt a message, weak keys are very unlikely to give rise to a security problem.  Nevertheless, it is considered desirable for a cipher to have no weak keys. A cipher with no weak keys is said to have a ''flat'', or ''linear'', [[key space (cryptography)|key space]].
 
== Historical origins ==
Virtually all rotor based cipher machines (from 1925 onwards) have implementation flaws that lead to a substantial number of weak keys being created. Some machines have more problems with weak keys than others, as modern block and stream ciphers do.
 
The German Enigma machine is a family of about a dozen different cipher machine designs, each with its own problems. The military Enigma cipher machine, in its 3 and 4 rotor implementations had the equivalent of weak keys. Certain combinations of rotor order, stepping and initial key were fundamentally weaker than others. The Enigma's reflector (when used) guaranteed that no letter could be enciphered as itself, so an A could never turn back into an A. This helped Polish and, later, British efforts to break the cipher. (See [[Cryptanalysis of the Enigma]] and the [[Enigma rotor details]].)
 
The first stream cipher machines, that were also rotor machines had some of the same problems of weak keys as the more traditional rotor machines. The T52 was one such stream cipher machine that had weak key problems.
 
The British first detected T52 traffic in Summer and Autumn of 1942. One link was between [[Sicily]] and [[Libya]], codenamed "[[Sturgeon]]", and another from [[Aegean Sea|the Aegean]] to [[Sicily]], codenamed "[[Mackerel]]". Operators of both links were in the habit of enciphering several messages with the same machine settings, producing large numbers of [[depth (cryptanalysis)|depth]]s.
 
There were several (mostly incompatible) versions of the T52: the T52a and T52b (which differed only in their electrical noise suppression), T52c, T52d and T52e. While the T52a/b and T52c were cryptologically weak, the last two were more advanced devices; the movement of the wheels was intermittent, the decision on whether or not to advance them being controlled by logic circuits which took as input data from the wheels themselves.
 
In addition, a number of conceptual flaws (including very subtle ones) had been eliminated. One such flaw was the ability to reset the [[keystream]] to a fixed point, which led to key reuse by undisciplined machine operators.
 
==Weak keys in DES==
The [[block cipher]] [[Data Encryption Standard|DES]] has a few specific keys termed "weak keys" and "semi-weak keys". These are keys that cause the encryption mode of DES to act identically to the decryption mode of DES (albeit potentially that of a different key).
 
In operation, the secret 56-bit key is broken up into 16 subkeys according to the DES [[key schedule]]; one subkey is used in each of the sixteen DES rounds. DES ''weak keys'' produce sixteen identical subkeys. This occurs when the key (expressed in [[hexadecimal]]) is:<ref>FIPS, ''GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA ENCRYPTION STANDARD'', FIPS-PUB 74, http://www.itl.nist.gov/fipspubs/fip74.htm</ref>
* Alternating ones + zeros (0x0101010101010101)
* Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
* '0xE0E0E0E0F1F1F1F1'
* '0x1F1F1F1F0E0E0E0E'
 
If an implementation does not consider the parity bits, the corresponding keys with the inverted parity bits may also work as weak keys:
* all zeros (0x0000000000000000)
* all ones (0xFFFFFFFFFFFFFFFF)
* '0xE1E1E1E1F0F0F0F0'
* '0x1E1E1E1E0F0F0F0F'
 
Using weak keys, the outcome of the Permuted Choice 1 (PC1) in the DES [[key schedule]] leads to round keys being either all zeros, all ones or alternating zero-one patterns.
 
Since all the subkeys are identical, and DES is a [[Feistel network]], the encryption function is self-inverting; that is, despite encrypting once giving a secure-looking cipher text, encrypting twice produces the original plaintext.
 
DES also has ''semi-weak keys'', which only produce two different subkeys, each used eight times in the algorithm: This means they come in pairs ''K''<sub>1</sub> and ''K''<sub>2</sub>, and they have the property that:
 
:<math>E_{K_1}(E_{K_2}(M))=M</math>
 
where E<sub>''K''</sub>(M) is the encryption algorithm encrypting [[plaintext|message]] ''M ''with key ''K''. There are six semiweak key pairs:
* 0x011F011F010E010E and 0x1F011F010E010E01
* 0x01E001E001F101F1 and 0xE001E001F101F101
* 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
* 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
* 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
* 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
 
There are also 48 possibly weak keys that produce only four distinct subkeys (instead of 16). They can be found in <ref>NIST, ''Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher,'' [http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf Special Publication 800-67], page 14</ref>
 
These weak and semiweak keys are not considered "fatal flaws" of DES. There are 2<sup>56</sup> (7.21 &times; 10<sup>16</sup>, about 72 quadrillion) possible keys for DES, of which four are weak and twelve are semiweak. This is such a tiny fraction of the possible keyspace that users do not need to worry. If they so desire, they can check for weak or semiweak keys when the keys are generated. They are very few, and easy to recognize.  Note, however, that currently DES is no longer recommended for general use since ''all'' keys can be brute-forced in about a day for a one-time hardware cost in the order of some new PC addon cards.
 
==List of algorithms with weak keys==<!-- This section is linked from [[Stream cipher]] -->
{{Expand list|date=August 2008}}
* [[RC4]]. RC4's weak initialization vectors allow an attacker to mount a known-plaintext attack and have been widely used to compromise the security of [[Wired Equivalent Privacy|WEP]].<ref>FLUHRER, S., MANTIN, I., AND SHAMIR, A. Weaknesses in the key scheduling algorithm of RC4. Eighth Annual Workshop on Selected Areas in Cryptography (August 2001), http://citeseer.ist.psu.edu/fluhrer01weaknesses.html</ref>
* [[IDEA (cipher)|IDEA]]. IDEA's weak keys are identifiable in a chosen-plaintext attack. They make the relationship between the XOR sum of plaintext bits and ciphertext bits predictable. There is no list of these keys, but they can be identified by their "structure".
* [[Data Encryption Standard]]
* [[Blowfish (cipher)|Blowfish]]. Blowfish's weak keys produce ''bad'' [[S-box]]es, since Blowfish's S-boxes are key-dependent. There is a chosen plaintext attack against a reduced-round variant of Blowfish that is made easier by the use of weak keys. This is not a concern for full 16-round Blowfish.
 
==No weak keys as a design goal==
The goal of having a 'flat' keyspace (i.e., all keys equally strong) is always a cipher design goal. As in the case of DES, sometimes a small number of weak keys is acceptable, provided that they are all identified or identifiable. An algorithm that has unknown weak keys does not inspire much trust {{Citation needed|date=March 2011}}.
 
The two main countermeasures against inadvertently using a weak key:
* Checking generated keys against a list of known weak keys, or building rejection of weak keys into the key scheduling.
* When the number of weak keys is known to be very small (in comparison to the size of the keyspace), generating a key uniformly at random ensures that the probability of it being weak is a (known) very small number.
 
A large number of weak keys is a serious flaw in any cipher design, since there will then be a (perhaps too) large chance that a randomly generated one will be a weak one, compromising the security of messages encrypted under it. It will also take longer to check randomly generated keys for weakness in such cases, which will tempt shortcuts in interest of 'efficiency'.
 
However, weak keys are much more often a problem where the adversary has some control over what keys are used, such as when a block cipher is used in a [[block cipher modes of operation|mode of operation]] intended to construct a secure [[cryptographic hash function]] (e.g. [[Davies-Meyer]]).
 
==See also==
* [[Authentication factor]]s
* [[Strong authentication]]
* [[Authentication#Multifactor authentication|Multifactor authentication]]
 
==References==
<references/>
 
{{Cryptography navbox | block | stream}}
 
[[Category:Cryptographic attacks]]
[[Category:Key management]]

Revision as of 14:58, 11 December 2013

In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, if one generates a random key to encrypt a message, weak keys are very unlikely to give rise to a security problem. Nevertheless, it is considered desirable for a cipher to have no weak keys. A cipher with no weak keys is said to have a flat, or linear, key space.

Historical origins

Virtually all rotor based cipher machines (from 1925 onwards) have implementation flaws that lead to a substantial number of weak keys being created. Some machines have more problems with weak keys than others, as modern block and stream ciphers do.

The German Enigma machine is a family of about a dozen different cipher machine designs, each with its own problems. The military Enigma cipher machine, in its 3 and 4 rotor implementations had the equivalent of weak keys. Certain combinations of rotor order, stepping and initial key were fundamentally weaker than others. The Enigma's reflector (when used) guaranteed that no letter could be enciphered as itself, so an A could never turn back into an A. This helped Polish and, later, British efforts to break the cipher. (See Cryptanalysis of the Enigma and the Enigma rotor details.)

The first stream cipher machines, that were also rotor machines had some of the same problems of weak keys as the more traditional rotor machines. The T52 was one such stream cipher machine that had weak key problems.

The British first detected T52 traffic in Summer and Autumn of 1942. One link was between Sicily and Libya, codenamed "Sturgeon", and another from the Aegean to Sicily, codenamed "Mackerel". Operators of both links were in the habit of enciphering several messages with the same machine settings, producing large numbers of depths.

There were several (mostly incompatible) versions of the T52: the T52a and T52b (which differed only in their electrical noise suppression), T52c, T52d and T52e. While the T52a/b and T52c were cryptologically weak, the last two were more advanced devices; the movement of the wheels was intermittent, the decision on whether or not to advance them being controlled by logic circuits which took as input data from the wheels themselves.

In addition, a number of conceptual flaws (including very subtle ones) had been eliminated. One such flaw was the ability to reset the keystream to a fixed point, which led to key reuse by undisciplined machine operators.

Weak keys in DES

The block cipher DES has a few specific keys termed "weak keys" and "semi-weak keys". These are keys that cause the encryption mode of DES to act identically to the decryption mode of DES (albeit potentially that of a different key).

In operation, the secret 56-bit key is broken up into 16 subkeys according to the DES key schedule; one subkey is used in each of the sixteen DES rounds. DES weak keys produce sixteen identical subkeys. This occurs when the key (expressed in hexadecimal) is:[1]

  • Alternating ones + zeros (0x0101010101010101)
  • Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
  • '0xE0E0E0E0F1F1F1F1'
  • '0x1F1F1F1F0E0E0E0E'

If an implementation does not consider the parity bits, the corresponding keys with the inverted parity bits may also work as weak keys:

  • all zeros (0x0000000000000000)
  • all ones (0xFFFFFFFFFFFFFFFF)
  • '0xE1E1E1E1F0F0F0F0'
  • '0x1E1E1E1E0F0F0F0F'

Using weak keys, the outcome of the Permuted Choice 1 (PC1) in the DES key schedule leads to round keys being either all zeros, all ones or alternating zero-one patterns.

Since all the subkeys are identical, and DES is a Feistel network, the encryption function is self-inverting; that is, despite encrypting once giving a secure-looking cipher text, encrypting twice produces the original plaintext.

DES also has semi-weak keys, which only produce two different subkeys, each used eight times in the algorithm: This means they come in pairs K1 and K2, and they have the property that:

EK1(EK2(M))=M

where EK(M) is the encryption algorithm encrypting message M with key K. There are six semiweak key pairs:

  • 0x011F011F010E010E and 0x1F011F010E010E01
  • 0x01E001E001F101F1 and 0xE001E001F101F101
  • 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
  • 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
  • 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
  • 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1

There are also 48 possibly weak keys that produce only four distinct subkeys (instead of 16). They can be found in [2]

These weak and semiweak keys are not considered "fatal flaws" of DES. There are 256 (7.21 × 1016, about 72 quadrillion) possible keys for DES, of which four are weak and twelve are semiweak. This is such a tiny fraction of the possible keyspace that users do not need to worry. If they so desire, they can check for weak or semiweak keys when the keys are generated. They are very few, and easy to recognize. Note, however, that currently DES is no longer recommended for general use since all keys can be brute-forced in about a day for a one-time hardware cost in the order of some new PC addon cards.

List of algorithms with weak keys

Earlier than you decide whether or not chrome steel cookware is value buying, lets first focus on what chrome steel cookware is. Chrome steel is manufactured from an alloy, or a mix of metals. Mostly, primary iron with chromium, nickel or another minor metals. The chromium supplies rust safety and gives your cookware durability. The nickel supplies rust safety as properly, and adds a polished look. Most nicely made chrome steel cookware has copper or aluminum added to the bottom of the pan or pot. That is completed to increases the power of the pot or pan to conduct warmth.
The most effective chrome steel cookware is the primary category, but nonetheless it's divided into a number of subcategories based mostly on the quality and the price range. It may be complicated to choose the most effective stainless steel cookware out of the classes that can meet your necessities. That is where we took a step forward to clarify you all the information that will likely be useful so that you can know how to decide on the most effective chrome steel cookware. The perfect stainless-steel cookware set is manufactured from cheap to costly and high quality constructed pots and pans.
You will discover magnetic stainless steel in the layer on the skin of some high quality items of stainless-steel. This is to make it compatible with induction stovetops, which contain the use of a rapidly charging electromagnetic area to warmth cookware. Excessive-high quality stainless-steel, like All-Clad , uses three layers of metal—the austenite layer of steel on the inside, ferrite metal on the outside, and a layer of aluminum sandwiched between the 2 for optimal warmth conductivity (metal alone doesn't conduct heat evenly). Lesser-quality chrome steel is usually only one layer of austenitic chrome steel.
Aesthetically talking, stainless-steel is a smart alternative if you happen to prefer to show or hold pots or pans. The clear, crisp look of all stainless-steel kitchenware can transform a mishmash of cookware into a classy décor statement. Stainless steel kettles, such as the Cuisinart Tea Kettle will combine particular person kitchenware right into a cohesive and pleasant entity. Think about purchasing stainless-steel utensils as well. Already acquired a gorgeous stainless steel cookware assortment? The Cuisinart Chef’s Assortment stainless pot rack could be the final touch for a kitchen, liberating up area and making those pots and pans readily accessible. Get the chrome steel cookware of your culinary desires at Macy’s!
Exhausting-anodized aluminum cookware is one of the hottest varieties of material, regardless that many individuals do not quite perceive the development. Hard-anodized aluminum is obvious aluminum that has been processed in a series of chemical baths charged with an electrical present. The result's a fabric that has the identical superior warmth conductivity as aluminum however is non-reactive with acidic foods, resembling tomatoes, and twice as onerous as chrome steel. Two drawbacks to laborious-anodized cookware are that it's not dishwasher-protected and, as a result of it isn't magnetic, it is not going to work with induction vary tops.
The enamel over steel technique creates a chunk that has the warmth distribution of carbon steel and a non-reactive, low-stick surface. Such pots are a lot lighter than most other pots of comparable size, are cheaper to make than chrome steel pots, and should not have the rust and reactivity problems with cast iron or carbon metal. citation wanted Enamel over steel is right for large stockpots and for different giant pans used principally for water-based cooking. Due to its mild weight and straightforward cleanup, enamel over steel is also in style for cookware used while camping. Clad aluminium or copper edit
Unique specialty cookware pieces served a la carte to compliment any cookware set are constructed of a sturdy Stainless Metal with a brushed exterior end. Designed with an impression bonded, aluminum disk encapsulated base which distributes heat rapidly and evenly to permit exact temperature management. Handles are riveted for sturdiness and efficiency. The New Specialty Cookware is compatible for all range varieties together with induction. Along with the multi use perform, another unique function is backside to top interior volume markings in both quarts and metric measurement; and every bit comes with a tempered glass lid, oven safe to 350°F.
Whether or not you are a cooking enthusiasts, a professional chef or simply cooking for your family you already know the importance of getting a totally stocked kitchen. Not solely do you need the right ingredients, but you also need the fitting instruments to get the job done. In any sort of fundamental cooking coaching lesson, you will study that chrome steel is your new greatest buddy relating to kitchen cookware. What you will also learn is that quality cooking gear does not normally come at a discounted value. When you loved this information and you would like to receive details with regards to best stainless steel cookware i implore you to visit our own page. For this reason, it is important to take good care of your cookware! Listed here are some basics for chrome steel care.
To fight the uneven heating drawback, most stainless steel pans are laminations of aluminum or copper on the underside to spread the heat around, and stainless-steel inside the pan to provide a cooking floor that is impervious to no matter you would possibly put inside. In my experience, this chrome steel floor remains to be too sticky to fry on, and for those who ever burn it you get a permanent bother spot. But, typically a chrome steel cooking surface comes in handy when you may't use aluminum (see beneath) so I preserve some around. Select something with a fairly thick aluminum layer on the underside.
Nicely, unless you’re a metals skilled and go examine the manufacturing unit where the steel is made to see whether or not their manufacturing process creates a pure austenite without corrosive materials shaped, you’re not going to know for certain whether or not or not the craftsmanship of your stainless is of the very best high quality. I feel your best wager is to simply buy high-high quality stainless-steel from the beginning, from a model with a reputation for good quality. But, I believe I've found out a method that you can decide if the stainless cookware you have already got is potentially reactive.

  • RC4. RC4's weak initialization vectors allow an attacker to mount a known-plaintext attack and have been widely used to compromise the security of WEP.[3]
  • IDEA. IDEA's weak keys are identifiable in a chosen-plaintext attack. They make the relationship between the XOR sum of plaintext bits and ciphertext bits predictable. There is no list of these keys, but they can be identified by their "structure".
  • Data Encryption Standard
  • Blowfish. Blowfish's weak keys produce bad S-boxes, since Blowfish's S-boxes are key-dependent. There is a chosen plaintext attack against a reduced-round variant of Blowfish that is made easier by the use of weak keys. This is not a concern for full 16-round Blowfish.

No weak keys as a design goal

The goal of having a 'flat' keyspace (i.e., all keys equally strong) is always a cipher design goal. As in the case of DES, sometimes a small number of weak keys is acceptable, provided that they are all identified or identifiable. An algorithm that has unknown weak keys does not inspire much trust Potter or Ceramic Artist Truman Bedell from Rexton, has interests which include ceramics, best property developers in singapore developers in singapore and scrabble. Was especially enthused after visiting Alejandro de Humboldt National Park..

The two main countermeasures against inadvertently using a weak key:

  • Checking generated keys against a list of known weak keys, or building rejection of weak keys into the key scheduling.
  • When the number of weak keys is known to be very small (in comparison to the size of the keyspace), generating a key uniformly at random ensures that the probability of it being weak is a (known) very small number.

A large number of weak keys is a serious flaw in any cipher design, since there will then be a (perhaps too) large chance that a randomly generated one will be a weak one, compromising the security of messages encrypted under it. It will also take longer to check randomly generated keys for weakness in such cases, which will tempt shortcuts in interest of 'efficiency'.

However, weak keys are much more often a problem where the adversary has some control over what keys are used, such as when a block cipher is used in a mode of operation intended to construct a secure cryptographic hash function (e.g. Davies-Meyer).

See also

References

  1. FIPS, GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA ENCRYPTION STANDARD, FIPS-PUB 74, http://www.itl.nist.gov/fipspubs/fip74.htm
  2. NIST, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, page 14
  3. FLUHRER, S., MANTIN, I., AND SHAMIR, A. Weaknesses in the key scheduling algorithm of RC4. Eighth Annual Workshop on Selected Areas in Cryptography (August 2001), http://citeseer.ist.psu.edu/fluhrer01weaknesses.html

Template:Cryptography navbox