differences between des3-cbc-sha1 and des3-cbc-md5

Tom Yu tlyu at MIT.EDU
Tue Sep 14 20:15:42 EDT 2004


>>>>> "Ish" == Ahluwalia, Ish <iahluwalia at sonusnet.com> writes:

Ish> When we talk about des3-cbc-sha1 support - The way I understand
Ish> it means support for des3-cbc encryption with
Ish> CKSUMTYPE_HMAC_SHA1_DES3.  I hope my understanding is corrrect in
Ish> terms of this.

I believe this is correct, though perhaps not in the way you are
thinking.  CKSUMTYPE_HMAC_SHA1_DES3 is a cryptographic checksum
(signature) algorithm which is required to be supported when a session
key type of des3-cbc-sha1 is used.

Ish> Now, for "des3-cbc-md5" encryption - it means we again need
Ish> support for des3-cbc encryption.  But what checksumtype needs to
Ish> supoorted - Is it CKSUMTYPE_HMAC_MD5_DES3 or CKSUMTYPE_HMAC_MD5?

I don't think either CKSUMTYPE_HMAC_MD5_DES3 or CKSUMTYPE_HMAC_MD5 are
defined currently.  I suspect it might be an MD5 hash encrypted with
triple-DES, which is not as secure as an HMAC.

Ish> Essentially, I'm asking if if the process is same between the two
Ish> ciphersuites, just that HASH algorithms are different?

The hash algorithms are not the only difference.  des3-cbc-md5, like
the single-des cryptosystems, uses encrypted plaintext checksums,
which are known to have cryptographic weaknesses.  des3-cbc-sha1 uses
an HMAC instead, which eliminates these weaknesses.  des3-cbc-sha1
also uses key derivation, which provides additional strength.

Have you read the recent Kerberos crypto specification?
(draft-ietf-krb-wg-crypto-07.txt, which I think is pending
publication) It will probably make some things more clear to you.

---Tom


More information about the Kerberos mailing list