[937] in Kerberos_V5_Development
Re: Another attempt at Triple-DES string-to-key
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Wed Oct 25 09:28:02 1995
To: eichin@MIT.EDU
Cc: basch@lehman.com, tytso@MIT.EDU, krbdev@MIT.EDU, carson@lehman.com
In-Reply-To: Your message of "Tue, 24 Oct 1995 23:53:27 -0400 ."
<199510250353.XAA28719@tweedledumber.cygnus.com>
Date: Wed, 25 Oct 1995 09:21:25 -0400
From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
> Is the problem in the first step "weak" keys or guessable ones? Wasn't
> there an XOR used to modify detected weak keys into non-weak ones, and
> would that suffice?
I'm just trying to avoid encrypting with weak keys..
> Another thought - 3DES with 56 bits of good key packed into the first
> single-key is no weaker than 1DES, right? Can we really expect more
> than that, given the lack of entropy to begin with?
True enough, but why make the job of a brute-forcer any easier?
> > SHA gives you 160 bits of output, which is close to the 165 "real"
>
> But then if you have a key that actually *has* 168 good bits (yeah,
> that would be a comparable to a 30+ word english sentence) you lose
> some of them. Granted, by going to 3DES we've got enough strength that
> we may not care much... and that few passwords will be long enough to
> give that anyhow.
If you really care about those last 5 or 8 bits (depending on how you
count.. remember the symmetry that DESECB(P, K) = ~ DESECB(~P, ~K)..)
you can get 128 bits of key from SHA("Dorothy" || key || "Denning")
and 64 from MD5("is_an" || key || "FBI_stooge")...
> Lots of questions. Part of the reason for using a technique that is
> logically related to the existing one is that we can reason about the
> effectiveness in related ways.
Yes, but remember that MD2/MD4/MD5/SHA were invented somewhat after
single-DES kerberos came around (remember quad_cksum? it was an
attempt at something like MD4 which was faster than a DES MAC and
stronger than a CRC. If they had known of MDx at that point, I
suspect that BCN & SPM would have used it instead of using
quad_cksum.. ).
- Bill
