[935] in Kerberos_V5_Development
Re: Another attempt at Triple-DES string-to-key
daemon@ATHENA.MIT.EDU (Richard Basch)
Wed Oct 25 02:01:40 1995
Date: Wed, 25 Oct 1995 02:00:24 -0400
To: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
Cc: "Richard Basch" <basch@lehman.com>, tytso@MIT.EDU, eichin@MIT.EDU,
krbdev@MIT.EDU, carson@lehman.com
In-Reply-To: Bill Sommerfeld's message of Tue, 24 Oct 1995 23:21:39 -0400,
<199510250322.DAA01102@orchard.medford.ma.us>
From: "Richard Basch" <basch@MIT.EDU>
Oh, I suddenly realized on the way home what you meant by keys two and
three not having any real entropy.
However:
1. You cannot increasse the randomness of all the keys, but as long as
you do not lose randomness between the three keys and the keys cannot be
cross-correlated any easier than the input string, then there isn't a
problem.
Essentially, an eight-byte password is only sufficient to generate one
moderate DES key (you need about 10 characters for a good key). So, if
the other two keys are merely cipher-block-chains of a block of zeroes
with the previous block's cipher as the ivec, then you have merely
carried forward the encryption with no added random bits. However, no
bits were destroyed in the process and you are still left with no faster
approach than brute force.
It should also be noted that all parts of the key are equally good to
pick for a single DES key, since they are chained results of the
previous block. Admittedly, if you break one, you have it all, but you
might as well have guessed the original string with that exhaustive
approach.
2. The temporary 24-byte cipher key has randomness well distributed in
it because of the fanning... Only a two character password with no salt
would generate a very weak cipher key (which I should probably make sure
is covered), but if someone chooses a two character password, they
really have problems. It still wouldn't weaken the resulting key more
than a two character key already is, though.
3. Digest mechanisms may not be as easily extensible, since they are
geared to larger message blocks and producing compacted hashes.
This approach was a simple extension of the already existing fanning and
MAC process that was previously used. It attempts to fan the
randomness into the first cblock and ensure that subsequent cblocks use
the same randomness plus whatever they might have had in them. If the
first cblock only has 6 characters and there is nothing else, each
cblock taken individually will have about 40 bits of randomness, and
together they will still have that same amount.
-Richard
