[934] in Kerberos_V5_Development
Re: Another attempt at Triple-DES string-to-key
daemon@ATHENA.MIT.EDU (Richard Basch)
Tue Oct 24 23:58:17 1995
Date: Tue, 24 Oct 1995 23:56:25 -0400
To: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
Cc: "Richard Basch" <basch@lehman.com>, tytso@MIT.EDU, eichin@MIT.EDU,
krbdev@MIT.EDU, carson@lehman.com
In-Reply-To: Bill Sommerfeld's message of Tue, 24 Oct 1995 23:21:39 -0400,
<199510250322.DAA01102@orchard.medford.ma.us>
From: "Richard Basch" <basch@MIT.EDU>
Date: Tue, 24 Oct 1995 23:21:39 -0400
From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
-----BEGIN PGP SIGNED MESSAGE-----
> Date: Tue, 24 Oct 1995 18:32:24 -0400
> Message-Id: <9510242232.AA02657@badger.lehman.com>
> From: "Richard Basch" <basch@lehman.com>
>
> Triple-DES string-to-key:
> 1. Concatenate the input string and optional salt (appended).
> 2. Fanfold the resulting string into 24 bytes (instead of 8)
> 3. Fix the key parities, and do a Triple-DES CBC encryption of the
> concatenated string (padded to a cblock, containing at least 24 bytes)
> 4. Retrieve the final 24 bytes of encrypted information (analagous to
> how the DES MAC is computed).
>
> Does this sound reasonable?
No.
1) "short" passwords will result in the use of weak or mostly-zero
keys for the 3rd and possibly 2nd DES keys in the first pass; you
really want to mix things up a bit more than that.
I don't see how this is true...
The folding will produce three keys with fairly good bit distribution
amongst the three keys. The short password + salt is then encrypted one
block at a time, using E-D-E using that fanfolded key. Then the
chaining will propogate the contents of the first block into the
subsequent blocks. That was the point of using Triple-DES CBC.
The Triple-DES CBC does not simply do three CBC passes (or at least that
seems to be the consensus amongst the IPSEC working group).
The point of fanfolding all the bits into 24 bits of key information and
using that as the three cipher keys is to distribute the entropy. The
chaining helps to preserve the entropy across the subsequent blocks.
Even without the salt and a relatively short password, you would need
about two characters to not have any distribution into the third
keyblock (and how long is it going to take to break a two character
password, anyway...)
I'm less sure of the following:
2) taking the last 24 bytes of the triple-des CBC encryption means that:
- all but the last 16 bytes get encrypted into the first block
- the next-to-the-last 8 bytes get encrypted into the second block
using the first block as IV
- the last 8 bytes get encrypted into the third block using
the second block as IV,
so *I think* the entropy contribution is uneven, and comes
disproportionately from the last few blocks. It certainly doesn't
feel right to me..
Using MD5 and/or SHA would be safer.
SHA gives you 160 bits of output, which is close to the 165 "real"
bits of entropy in triple DES.
I will look into SHA... I have some concerns with extending MD5 to
produce a larger digest for such short messages. Short messages are
already padded with a great deal of zeroes and there are four
uncorrelated bit functions used to essentially compact 512 bits into 128
bits (larger messages simply fanfold in the later blocks with those bit
functions).
-Richard
