Kerberos 3DES string-to-key

Ethan Heilman ethan at
Tue Apr 28 13:55:23 EDT 2009

I'm doing a security project on n-folding within kerberos, and I've I'm
trying to understand the designer's intentions.
I was wondering if any of the developers of kerberos could answer a design
question for me. Kerberos uses an interesting string-to-key method for 3DES.
This key-string-method uses a key expansion algorithm called n-folding to
reduce an arbitrary length string to a fixed length key. This operation
sounds very similar to a cryptographic hash function. In fact in the
documentation provided below, the string-to-key function is claimed to be a
one way function.

Why is n-folding, a key expansion algorithm, used instead of a cryptographic
hash function?
Is there a performance reason I am missing? Are the security requirements


For inclusion into RFC 1510
The assigned encryption type designating the use of triple DES is 5.

The assigned checksum type designating the use of encrypting and MD5
checksum with triple DES keys is 9.

Triple DES is implemented using three DES keys.  An Electronic CodeBook
encryption (3-DES ECB) is done by doing a DES ECB encryption of an eight
octet data block with the first DES key, performing a DES ECB decryption
of the resulting data block with the second key and performing a DES ECB
encryption of the result with the third key.

The encryption of a data stream in Cipher Block Chaining mode is
accomplished by eXclusive-ORing each eight-octet data block with the
cipher computed from the previous data block, and then performing a
3-DES ECB encryption.  The first data block is eXclusive-ORed with an
initial vector, which is commonly zero prior to performing the 3-DES

The string-to-key algorithm that is used for converting a user's
password into a 3-DES key is a one-way function, evenly distributing the
user's input in the resulting key.  The user's input is appended with
the salt information (typically the realm name), and 168-folded to
produce three DES keys sans parity.  The 168 bits are then expanded to
include odd parity, for use within the DES routines.  If any of the keys
are weak or semi-weak, they are strengthened by eXclusive-ORing the
questionable key with the constant 00000000000000F0.  The three DES keys
are then used to encrypt themselves in 3-DES CBC mode with a zero
initial vector.  This result is once again encrypted using the same keys
and key schedule and an initial vector of the last eight octets.  The
result is then parity adjusted.  If the final result yields weak or
semi-weak keys, they are also strengthened in the same manner as the
input keys.

The n-fold operation used by the string-to-key algorithm
replicates the input bit array X until its length is the least common
multiple of n bits and the length of X.  Before each replication, the
input is circularly rotated to the right by 13 bit positions.  The
successive n-bit chunks of the resulting bit array are then added
together with end-around carry to yield a n-bit result.  The first bit
position in the arrays is treated as the most significant bit.

More information about the krbdev mailing list