[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] RC2-CBC with 160 bits key ? (S/MIME Warning)

Title: IAIK S/MIME Mapper Security Warning
IAIK-S/MIME supports RC2 for the effective key length of 40, 64 and 128 bits as proposed in the SMime spec. The value of 160 indicates the rc2ParameterVersion sent with the algorithm ID and maybe 160, 120, 58  for effective-key-bits of 40, 64, and 128, respectively. >From the rc2ParameterVersion field the effective key length is calculated according to the algorithm presented in RFC 2268. Till IAIK-S/MIME2.6, IAIK-JCE2.6 it was assumed that the actual key length is equal to the effective key length (as usual with S/Mime) meaning that if you encrypt the message with a 40, 64, or 128 bit key you also actually send a 40, 64, respectively 128 bit key. However, as possible with RC2 you may send, for instance a 128 bit key, but only 40 bits are "effective" as indicated by the rc2ParameterVersion value of 160. IAIK-S/MIME2.6,JCE2.6 now is able to handle such messages. So, please try the 2.6 versions. If you already did so, you may send us a sample message to investigate the problem.
Dieter Bratko

>We are evaluating IAIK/JCE and IAIK/SMIME for an e-commerce application
>wich uses RC2-CBC with 160 bits keys (instead of the usual 40 bits
>keys). Does the IAIK implementation support this key length ?. We are
>trying to decrypt a mail message encrypted with this kind of keys and
>then the S/MIME implementation throws an exception when trying to
>decrypt the content (after successfully decrypting the session key):

><my-main-class>.main: java.lang.NegativeArraySizeException:
>        at iaik.utils.CryptoUtils.resizeArray(Unknown Source)
>        at iaik.security.cipher.v.engineDoFinal(Unknown Source)
>        at javax.crypto.Cipher.doFinal(Unknown Source)
>        <my-main-class>.main(<my-main-class>.java, Compiled Code)

Thanks in advance,
Juan A. Hernández