[932] in Kerberos_V5_Development
Re: Another attempt at Triple-DES string-to-key
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Tue Oct 24 23:28:06 1995
To: "Richard Basch" <basch@lehman.com>
Cc: tytso@MIT.EDU, eichin@MIT.EDU, krbdev@MIT.EDU, carson@lehman.com
In-Reply-To: Your message of "Tue, 24 Oct 1995 18:32:24 -0400 ."
<9510242232.AA02657@badger.lehman.com>
Date: Tue, 24 Oct 1995 23:21:39 -0400
From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
-----BEGIN PGP SIGNED MESSAGE-----
> Date: Tue, 24 Oct 1995 18:32:24 -0400
> Message-Id: <9510242232.AA02657@badger.lehman.com>
> To: tytso@MIT.EDU
> Cc: eichin@MIT.EDU, krbdev@MIT.EDU
> Cc: carson@lehman.com
> Subject: Another attempt at Triple-DES string-to-key
> From: "Richard Basch" <basch@lehman.com>
>
>
> Triple-DES string-to-key:
> 1. Concatenate the input string and optional salt (appended).
> 2. Fanfold the resulting string into 24 bytes (instead of 8)
> 3. Fix the key parities, and do a Triple-DES CBC encryption of the
> concatenated string (padded to a cblock, containing at least 24 bytes)
> 4. Retrieve the final 24 bytes of encrypted information (analagous to
> how the DES MAC is computed).
>
> Does this sound reasonable?
No.
1) "short" passwords will result in the use of weak or mostly-zero
keys for the 3rd and possibly 2nd DES keys in the first pass; you
really want to mix things up a bit more than that.
I'm less sure of the following:
2) taking the last 24 bytes of the triple-des CBC encryption means that:
- all but the last 16 bytes get encrypted into the first block
- the next-to-the-last 8 bytes get encrypted into the second block
using the first block as IV
- the last 8 bytes get encrypted into the third block using
the second block as IV,
so *I think* the entropy contribution is uneven, and comes
disproportionately from the last few blocks. It certainly doesn't
feel right to me..
Using MD5 and/or SHA would be safer.
SHA gives you 160 bits of output, which is close to the 165 "real"
bits of entropy in triple DES.
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBMI2tP7T+rHlVUGpxAQHjzwP/fLtj+1dL1MioRpYTxFDyUri9+TnDIE9f
vmVSuvOKc9mdincmlWoofjGmn8aKnfxgZQUxs2BL+RgxibSI3DdOLAtNHbU4Z3+b
P5DAAHONpl1OgcocdisRleezwARo5ng7FrnWMOPjeDcEpKbuNlSNJRd7O1dIwHv4
ySthqqoa7v0=
=Oo1i
-----END PGP SIGNATURE-----
