differences between des3-cbc-sha1 and des3-cbc-md5
Tom Yu
tlyu at MIT.EDU
Tue Sep 14 20:15:42 EDT 2004
>>>>> "Ish" == Ahluwalia, Ish <iahluwalia at sonusnet.com> writes:
Ish> When we talk about des3-cbc-sha1 support - The way I understand
Ish> it means support for des3-cbc encryption with
Ish> CKSUMTYPE_HMAC_SHA1_DES3. I hope my understanding is corrrect in
Ish> terms of this.
I believe this is correct, though perhaps not in the way you are
thinking. CKSUMTYPE_HMAC_SHA1_DES3 is a cryptographic checksum
(signature) algorithm which is required to be supported when a session
key type of des3-cbc-sha1 is used.
Ish> Now, for "des3-cbc-md5" encryption - it means we again need
Ish> support for des3-cbc encryption. But what checksumtype needs to
Ish> supoorted - Is it CKSUMTYPE_HMAC_MD5_DES3 or CKSUMTYPE_HMAC_MD5?
I don't think either CKSUMTYPE_HMAC_MD5_DES3 or CKSUMTYPE_HMAC_MD5 are
defined currently. I suspect it might be an MD5 hash encrypted with
triple-DES, which is not as secure as an HMAC.
Ish> Essentially, I'm asking if if the process is same between the two
Ish> ciphersuites, just that HASH algorithms are different?
The hash algorithms are not the only difference. des3-cbc-md5, like
the single-des cryptosystems, uses encrypted plaintext checksums,
which are known to have cryptographic weaknesses. des3-cbc-sha1 uses
an HMAC instead, which eliminates these weaknesses. des3-cbc-sha1
also uses key derivation, which provides additional strength.
Have you read the recent Kerberos crypto specification?
(draft-ietf-krb-wg-crypto-07.txt, which I think is pending
publication) It will probably make some things more clear to you.
---Tom
More information about the Kerberos
mailing list