[956] in Kerberos_V5_Development
3-DES string-to-key algorithm (REVISED)
daemon@ATHENA.MIT.EDU (Richard Basch)
Thu Nov 30 23:59:19 1995
Date: Thu, 30 Nov 1995 23:03:52 -0500
To: cvs-krb5@MIT.EDU, krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
(Sorry, the first one was a premature send without the fully edited n-fold).
This version should hopefully address some of the editing comments, and
one theoretical weakness for certain input key choices that Ted and I
identified (string-to-key computation, not the n-fold algorithm).
Definitions:
n-fold
To n-fold a bit array X into n bits, replicate the input value to a length
that is the least common multiple of n bits and the length of X. Before
each successive repetition, circularly rotate the input X to the right by
13 bit positions. The successive n-bit chunks are added together (where
the first bit is the most significant bit) with end-around carry (that is,
adding the carry result from the most significant bits to the least
significant bits) to yield a n-bit result.
Triple-DES ECB mode:
Three DES keys are used in turn to perform a DES ECB encryption of an
eight-octet data block with the first key, followed by a DES ECB
decryption of the resulting data block with the second key, followed
by a DES ECB encryption of the resulting data block with the last key.
Triple-DES CBC mode:
An input data stream is padded on the right by zeroes to an eight-octet
boundary. The first eight octet block is eXclusive-ORed with an initial
vector eight-octet block. This result is triple-DES ECB encrypted with
three DES keys. Subsequent eight-octet data blocks are eXclusive-ORed
with the cipher text produced from the 3-DES ECB encryption of the previous
block and then the data block is 3-DES ECB encrypted with the same DES keys.
Triple-DES String to key computation:
The input string (appended with any salt data) is 168-folded into a 21 octet
(168 bit) string. Each successive set of 7 octets is treated as a DES key
sans parity. The DES keys are then adjusted to include parity by computing
a parity bit for each successive seven bits to form eight octets.
The resulting DES keys including parity are then used to encrypt themselves
using Triple-DES CBC encryption with a zero initial vector. The result
is then adjusted for parity to produce three valid DES keys. Each key is
checked for weakness, and if it is determined to be weak or semi-weak, the
first octet of each weak key is eXclusive-ORed with the value 0xF0.
--
Richard Basch URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
