Des and 3DES PRF: 16 or 8 bytes

Sam Hartman hartmans-ietf at MIT.EDU
Thu Apr 30 16:25:09 EDT 2009

Folks, it was not clear in the discussion at IETf 74 whether we wanted
to have the RFC 3961 PRF for 3DES change to be an 8-byte output or
not.  Currently if you assume that the text says to truncate to the
nearest multiple of m, then the 3DES PRF should be 16 bytes.

As far as I can tell, no one is shipping DES or 3DES PRF, but I only
checked Heimdal up through 1.2.

My assumption for MIT is that we want to be consistent with RFC 3961
except for AES.

So, that would mean that 

des: cbc-encrypt(md5(prf_input))
3des: cbc-encrypt(sha-1(prf_input) trunc to 128-bits) with
rc4: hmac-sha1(prf_input) with key
aes: ecb-encrypt(sha-1(prf_input) trunc to 128-bits) with dk(key,

Do people agree with that?  If MIT should do something different for
DES or 3DES, now would be the right time to speak up.  We're fairly
committed to our RC4 and AES implementations.

More information about the krbdev mailing list