[508] in Kerberos
DES Pseudorandom key generation
daemon@TELECOM.MIT.EDU (Steve Miller)
Fri Sep 23 16:30:36 1988
From: miller%erlang.DEC@DECWRL.DEC.COM (Steve Miller)
To: kerberos@ATHENA.MIT.EDU
I have copied verbatim (except for possible typos!) Appendix C of
ANSI X9.17-1985, "Financial Institution Key Management (Wholesale)"
that describes a technique for producing pseudorandom DES keys and
IVs (initialization vectors). It requires a secret DES key pair, a
secret 64 bit-seed, the date and time, and multiple encryption operations,
making it fairly expensive in software. 'DEA' means the Data Encryption
Algorithm of DES.
The 'ede' operation using the key pair encrypts with the left key of the pair,
then decrypts with the right key of the pair, and finally encrypts with the
left key of the pair.
I don't know to what extent this is actually used currently, but presumably
it was designed for large $$ transactions.
Steve
----------------------------------------------------------
----------------------------------------------------------
C.1 Purpose
The purpose of this appendix is to present an example of a
pseudorandom key and IV generator.
C.2 Algorithm
Let ede*X(Y) represent the DEA multiple encryption of Y under
key *X. Let *K be a DEA key pair reserved only for the generation
of other keys, let V be a 64-bit seed value which is also kept
secret, and let + be the exclusive-or operator. Let DT be a
date/time vector which is updated on each key generation. I is
an intermediate value. A 64-bit vector R is generated as follows:
I = ede*K(DT)
R = ede*K(I + V)
and a new V is generated by V = ede*K(R + I).
To obtain a DEA key, every eighth bit is reset to odd parity.
To obtain an Initialization Vector (IV), R may be used directly.
