[938] in Kerberos_V5_Development
Re: Another attempt at Triple-DES string-to-key
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Oct 26 13:11:47 1995
Date: Thu, 26 Oct 1995 13:11:28 -0400
From: Theodore Ts'o <tytso@MIT.EDU>
To: eichin@MIT.EDU
Cc: sommerfeld@orchard.medford.ma.us, basch@lehman.com, krbdev@MIT.EDU,
carson@lehman.com
In-Reply-To: eichin@MIT.EDU's message of Tue, 24 Oct 1995 23:53:27 -0400,
<199510250353.XAA28719@tweedledumber.cygnus.com>
From: eichin@MIT.EDU
Date: Tue, 24 Oct 1995 23:53:27 -0400
> 1) "short" passwords will result in the use of weak or mostly-zero
> keys for the 3rd and possibly 2nd DES keys in the first pass; you
> really want to mix things up a bit more than that.
A trivial change would be to loop back to the start of the input
string, but the symmetry this would add to that key is
disturbing. (Then again, the key has insufficient entropy anyhow...)
Perhaps scanning backwards (and bouncing back again until you fill the
24byte buffer.)
Richard and I talked on the phone yesterday. The solution which we came
up with was to create the 1st, 2nd, and 3rd keys by taking bit slices
from the bit array. So the bits for the first key would come from
bits[i*3], the bits for the 2nd key would come from bits[i*3 + 1], etc.,
where 0 <= i <= 56. So for a short password, there would be at least
some bits in each of the three keys. Although it's true that most of
the high-order bits in the three keys will be zero, that shouldn't
matter, since this temporary key is only used to encrypt the
password+realm string in the second part of the string-to-key algorithm.
I think this should be workable ---- comments?
- Ted
