[479] in cryptography@c2.net mail archive
Re: AS/400 crypto
daemon@ATHENA.MIT.EDU (Anil Das)
Thu Apr 3 13:00:05 1997
Date: Thu, 3 Apr 1997 02:39:24 -0800
From: das@razor.engr.sgi.com (Anil Das)
In-Reply-To: Rich Salz <rsalz@osf.org>
"Re: AS/400 crypto" (Apr 3, 12:20am)
To: JeanPaul.Kroepfli@utopia.eunet.fr
Cc: coderpunks@toad.com, cryptography@c2.net
On Apr 3, 12:20am, Rich Salz wrote:
> Subject: Re: AS/400 crypto
> > CDMF #2628 - which IBM describe as "data scrambling"
>
> Commercial data-masking facility. "40bit" DES. (I forget the details,
> but a patent search will turn them up.)
It is in AC2. Section 15.5.
Given a full 64 bit (including parity bits) DES key, "shorten"
it to 40 bits with this algorithm:
1) Zero the parity bits. Let the result be A.
2) DES encrypt A with the key 0xc408b0540ba1e0ae to get B.
Let C = A XOR B.
3) Zero bits 1-4,17-20,33-36,49-52 and the parity bits of C
to give D.
4) DES encrypt D with the key 0xef2c041ce6382fe6 giving E.
E is the shortened key. Presumably its parity bits need to be set
after step 4) to make it a "legal" DES key. Or you can just
ignore parity in your DES implementation.
For a brute force attack, steps 1,2,3 can be ignored. Just try
all possible values where the 24 bits specified in step 3
are zero. So, I don't understand what those steps where expected
to achieve in terms of security. The work factor is roughly double
that of DES, except only 2^40 keys need to be tested. I estimate
it can be broken with one known plaintext in a couple of weeks and
a single, fast microprocessor.
Which doesn't answer the question of which crypto software to
use for the bank. Surely there are software developers in Europe
who has IDEA available as a library for AS/400?
--
Anil Das
