[936] in Kerberos_V5_Development
Re: Another attempt at Triple-DES string-to-key
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Oct 25 08:47:43 1995
Date: Wed, 25 Oct 1995 08:46:47 -0400
From: Theodore Ts'o <tytso@MIT.EDU>
To: Marc Horowitz <marc@MIT.EDU>
Cc: "Richard Basch" <basch@lehman.com>, eichin@MIT.EDU, krbdev@MIT.EDU
In-Reply-To: Marc Horowitz's message of Tue, 24 Oct 1995 19:37:28 EDT,
<9510242337.AA17284@oliver.MIT.EDU>
Date: Tue, 24 Oct 1995 19:37:28 EDT
From: Marc Horowitz <marc@MIT.EDU>
>> Triple-DES CBC mode:
>> ...
>> Does this sound reasonable?
I would talk to Perry Metzger <pmetzger@imsi.com> and find out what
he's doing for IPSEC. Kerberos should not be gratuitously different.
My understanding is that is what IPSEC is doing; that's why I suggested
that we use it. After a lot of flameage on the mailing list, Burt
Kaliski from RSA did a study on different modes of 3DES, and concluded
that treating 3DES as a primitive ECB operation, and then doing CBC
chaining around such a primitive ECB operation (therefore requiring only
a 56-bit IV) seemed to be the strongest way to do things. The
alternatives, which required a more IV, had the advantage that they
could be pipelined in hardware, but which appeared to be more
succiptible to analysis. Hence, I'm pretty sure that what I described
is what IPSEC is using.
- Ted
