[957] in Kerberos_V5_Development
3-DES string-to-key algorithm (REVISED)
daemon@ATHENA.MIT.EDU (Richard Basch)
Thu Nov 30 23:59:47 1995
Date: Thu, 30 Nov 1995 22:55:21 -0500
To: "Richard Basch" <basch@lehman.com>
Cc: cvs-krb5@MIT.EDU, krbdev@MIT.EDU, tytso@MIT.EDU
In-Reply-To: <199511280140.UAA03498@badger.lehman.com>
From: "Richard Basch" <basch@lehman.com>
This version should hopefully address some of the editing comments, and
one theoretical weakness for certain input key choices that Ted and I
identified (string-to-key computation, not the n-fold algorithm).
Definitions:
n-fold
To n-fold a number X, replicate the input value to a length that is the
least common multiple of n and the length of X. Before each repetition,
the input X is circularly rotated to the right by 13 bit positions. The
successive n-bit chunks are added together (where the first bit is the
most significant bit) with end-around carry (that is, adding the carry
result from the most significant bits to the least significant bits).
Triple-DES ECB mode:
Three DES keys are used in turn to perform a DES ECB encryption of an
eight-octet data block with the first key, followed by a DES ECB
decryption of the resulting data block with the second key, followed
by a DES ECB encryption of the resulting data block with the last key.
Triple-DES CBC mode:
An input data stream is padded on the right by zeroes to an eight-octet
boundary. The first eight octet block is eXclusive-ORed with an initial
vector eight-octet block. This result is triple-DES ECB encrypted with
three DES keys. Subsequent eight-octet data blocks are eXclusive-ORed
with the cipher text produced from the 3-DES ECB encryption of the previous
block and then the data block is 3-DES ECB encrypted with the same DES keys.
Triple-DES String to key computation:
The input string (appended with any salt data) is 168-folded into a 21 octet
(168 bit) string. Each successive set of 7 octets is treated as a DES key
sans parity. The DES keys are then adjusted to include parity by computing
a parity bit for each successive seven bits to form eight octets.
The resulting DES keys including parity are then used to encrypt themselves
using Triple-DES CBC encryption with a zero initial vector. The result
is then adjusted for parity to produce three valid DES keys. Each key is
checked for weakness, and if it is determined to be weak or semi-weak, the
first octet of each weak key is eXclusive-ORed with the value 0xF0.
--
Richard Basch URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
